From 042b4394229e265b252f5ce58efa32abb2dec746 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Danilo=20Je=C5=A1i=C4=87?= <34022788+djesic@users.noreply.github.com> Date: Mon, 17 Jul 2023 12:14:18 +0200 Subject: [PATCH 1/4] Sanitize CI --- frontend/js/ci.js | 18 +++++++++--------- frontend/js/helpers/main.js | 12 ++++++++++++ frontend/js/index.js | 2 +- 3 files changed, 22 insertions(+), 10 deletions(-) diff --git a/frontend/js/ci.js b/frontend/js/ci.js index 5411bba60..da81f62ef 100644 --- a/frontend/js/ci.js +++ b/frontend/js/ci.js @@ -254,13 +254,13 @@ const displayCITable = (runs, url_params) => { const label = el[4] const duration = el[7] - li_node.innerHTML = `${value}\ - ${label}\ - ${run_link_node}\ - ${dateToYMD(new Date(created_at))}\ - ${short_hash}\ - ${cpu}\ - ${duration} seconds`; + li_node.innerHTML = `${sanitize(value)}\ + ${sanitize(label)}\ + ${sanitize(run_link_node)}\ + ${dateToYMD(new Date(sanitize(created_at)))}\ + ${sanitize(short_hash)}\ + ${sanitize(cpu)}\ + ${sanitize(duration)} seconds`; document.querySelector("#ci-table").appendChild(li_node); }); $('table').tablesort(); @@ -326,8 +326,8 @@ $(document).ready((e) => { //${repo_link} const repo_link_node = `${url_params.get('repo')}` document.querySelector('#ci-data').insertAdjacentHTML('afterbegin', `Repository:${repo_link_node}`) - document.querySelector('#ci-data').insertAdjacentHTML('afterbegin', `Branch:${url_params.get('branch')}`) - document.querySelector('#ci-data').insertAdjacentHTML('afterbegin', `Workflow:${url_params.get('workflow')}`) + document.querySelector('#ci-data').insertAdjacentHTML('afterbegin', `Branch:${sanitize(url_params.get('branch'))}`) + document.querySelector('#ci-data').insertAdjacentHTML('afterbegin', `Workflow:${sanitize(url_params.get('workflow'))}`) displayCITable(badges_data.data, url_params); chart_instance = displayGraph(badges_data.data) diff --git a/frontend/js/helpers/main.js b/frontend/js/helpers/main.js index 6100db7de..80853c8d3 100644 --- a/frontend/js/helpers/main.js +++ b/frontend/js/helpers/main.js @@ -32,6 +32,18 @@ class GMTMenu extends HTMLElement { } customElements.define('gmt-menu', GMTMenu); +function sanitize(string) { + const map = { + '&': '&', + '<': '<', + '>': '>', + '"': '"', + "'": ''' + }; + const reg = /[&<>"']/ig; + return string.replace(reg, (match) => map[match]); + } + const replaceRepoIcon = (uri) => { if (uri.startsWith("https://www.github.com") || uri.startsWith("https://github.com")) { uri = uri.replace("https://www.github.com", ''); diff --git a/frontend/js/index.js b/frontend/js/index.js index 1ddaf0a8e..3f5cea25a 100644 --- a/frontend/js/index.js +++ b/frontend/js/index.js @@ -5,7 +5,7 @@ const compareButton = () => { checkedBoxes.forEach(checkbox => { link = `${link}${checkbox.value},`; }); - window.location = link.substr(0,link.length-1); + window.location = encodeURIComponent(link.substr(0, link.length - 1)); } const updateCompareCount = () => { const countButton = document.getElementById('compare-button'); From a9eefde49ff16519715781ab046cdb7d09d0549c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Danilo=20Je=C5=A1i=C4=87?= <34022788+djesic@users.noreply.github.com> Date: Mon, 17 Jul 2023 12:25:22 +0200 Subject: [PATCH 2/4] Sanitize repo --- frontend/js/ci.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/frontend/js/ci.js b/frontend/js/ci.js index da81f62ef..82270a6e5 100644 --- a/frontend/js/ci.js +++ b/frontend/js/ci.js @@ -318,10 +318,10 @@ $(document).ready((e) => { let repo_link = '' if(badges_data.data[0][8] == 'github') { - repo_link = `https://github.com/${url_params.get('repo')}`; + repo_link = `https://github.com/${sanitize(url_params.get('repo'))}`; } else if(badges_data.data[0][8] == 'gitlab') { - repo_link = `https://gitlab.com/${url_params.get('repo')}`; + repo_link = `https://gitlab.com/${sanitize(url_params.get('repo'))}`; } //${repo_link} const repo_link_node = `${url_params.get('repo')}` From 2752848441a843f1ca49e8e87465998568b9f4bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Danilo=20Je=C5=A1i=C4=87?= <34022788+djesic@users.noreply.github.com> Date: Tue, 18 Jul 2023 10:03:58 +0200 Subject: [PATCH 3/4] Sanitize renamed to escapeString --- frontend/js/ci.js | 28 ++++++++++++++-------------- frontend/js/helpers/main.js | 2 +- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/frontend/js/ci.js b/frontend/js/ci.js index 82270a6e5..b2cd13ea9 100644 --- a/frontend/js/ci.js +++ b/frontend/js/ci.js @@ -241,10 +241,10 @@ const displayCITable = (runs, url_params) => { var run_link = '' if(source == 'github') { - run_link = `https://github.com/${url_params.get('repo')}/actions/runs/${run_id}`; + run_link = `https://github.com/${escapeString(url_params.get('repo'))}/actions/runs/${run_id}`; } else if (source == 'gitlab') { - run_link = `https://gitlab.com/${url_params.get('repo')}/-/pipelines/${run_id}` + run_link = `https://gitlab.com/${escapeString(url_params.get('repo'))}/-/pipelines/${run_id}` } const run_link_node = `${run_id}` @@ -254,13 +254,13 @@ const displayCITable = (runs, url_params) => { const label = el[4] const duration = el[7] - li_node.innerHTML = `${sanitize(value)}\ - ${sanitize(label)}\ - ${sanitize(run_link_node)}\ - ${dateToYMD(new Date(sanitize(created_at)))}\ - ${sanitize(short_hash)}\ - ${sanitize(cpu)}\ - ${sanitize(duration)} seconds`; + li_node.innerHTML = `${escapeString(value)}\ + ${escapeString(label)}\ + ${escapeString(run_link_node)}\ + ${dateToYMD(new Date(escapeString(created_at)))}\ + ${escapeString(short_hash)}\ + ${escapeString(cpu)}\ + ${escapeString(duration)} seconds`; document.querySelector("#ci-table").appendChild(li_node); }); $('table').tablesort(); @@ -318,16 +318,16 @@ $(document).ready((e) => { let repo_link = '' if(badges_data.data[0][8] == 'github') { - repo_link = `https://github.com/${sanitize(url_params.get('repo'))}`; + repo_link = `https://github.com/${escapeString(url_params.get('repo'))}`; } else if(badges_data.data[0][8] == 'gitlab') { - repo_link = `https://gitlab.com/${sanitize(url_params.get('repo'))}`; + repo_link = `https://gitlab.com/${escapeString(url_params.get('repo'))}`; } //${repo_link} - const repo_link_node = `${url_params.get('repo')}` + const repo_link_node = `${escapeString(url_params.get('repo'))}` document.querySelector('#ci-data').insertAdjacentHTML('afterbegin', `Repository:${repo_link_node}`) - document.querySelector('#ci-data').insertAdjacentHTML('afterbegin', `Branch:${sanitize(url_params.get('branch'))}`) - document.querySelector('#ci-data').insertAdjacentHTML('afterbegin', `Workflow:${sanitize(url_params.get('workflow'))}`) + document.querySelector('#ci-data').insertAdjacentHTML('afterbegin', `Branch:${escapeString(url_params.get('branch'))}`) + document.querySelector('#ci-data').insertAdjacentHTML('afterbegin', `Workflow:${escapeString(url_params.get('workflow'))}`) displayCITable(badges_data.data, url_params); chart_instance = displayGraph(badges_data.data) diff --git a/frontend/js/helpers/main.js b/frontend/js/helpers/main.js index 80853c8d3..84029f89b 100644 --- a/frontend/js/helpers/main.js +++ b/frontend/js/helpers/main.js @@ -32,7 +32,7 @@ class GMTMenu extends HTMLElement { } customElements.define('gmt-menu', GMTMenu); -function sanitize(string) { +function escapeString(string) { const map = { '&': '&', '<': '<', From a4c78401301326be995d6ae98e3f414b72921188 Mon Sep 17 00:00:00 2001 From: dan-mm Date: Tue, 18 Jul 2023 11:54:36 +0200 Subject: [PATCH 4/4] fix pr workflow --- .github/workflows/tests-vm-pr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests-vm-pr.yml b/.github/workflows/tests-vm-pr.yml index 82d03f304..0d859c465 100644 --- a/.github/workflows/tests-vm-pr.yml +++ b/.github/workflows/tests-vm-pr.yml @@ -17,7 +17,7 @@ jobs: submodules: 'true' - name: Eco CI Energy Estimation - Initialize - uses: green-coding-berlin/eco-ci-energy-estimation@v1 + uses: green-coding-berlin/eco-ci-energy-estimation@v2 with: task: start-measurement