From 20ac9253cf94ebda558aa110e46476f395226f7f Mon Sep 17 00:00:00 2001 From: Didi Hoffmann Date: Thu, 3 Aug 2023 15:48:47 +0200 Subject: [PATCH 1/2] Fixes the github security errors --- frontend/js/ci.js | 32 ++++++++++++++++---------------- frontend/js/helpers/main.js | 22 ++++++++++++---------- 2 files changed, 28 insertions(+), 26 deletions(-) diff --git a/frontend/js/ci.js b/frontend/js/ci.js index 2ad6829de..90a904cc7 100644 --- a/frontend/js/ci.js +++ b/frontend/js/ci.js @@ -171,7 +171,7 @@ const getChartOptions = (runs, chart_element) => { const displayGraph = (runs) => { const element = createChartContainer("#chart-container", "run-energy", runs); - + const options = getChartOptions(runs, element); const chart_instance = echarts.init(element); @@ -241,26 +241,26 @@ const displayCITable = (runs, url_params) => { var run_link = '' if(source == 'github') { - run_link = `https://github.com/${url_params.get('repo')}/actions/runs/${run_id}`; + run_link = `https://github.com/${escapeString(url_params.get('repo'))}/actions/runs/${escapeString(run_id)}`; } else if (source == 'gitlab') { - run_link = `https://gitlab.com/${url_params.get('repo')}/-/pipelines/${run_id}` + run_link = `https://gitlab.com/${escapeString(url_params.get('repo'))}/-/pipelines/${escapeString(run_id)}` } - const run_link_node = `${run_id}` + const run_link_node = `${escapeString(run_id)}` const created_at = el[3] const label = el[4] const duration = el[7] - li_node.innerHTML = `${value}\ - ${label}\ + li_node.innerHTML = `${escapeString(value)}\ + ${escapeString(label)}\ ${run_link_node}\ - ${dateToYMD(new Date(created_at))}\ - ${short_hash}\ - ${cpu}\ - ${duration} seconds`; + ${dateToYMD(new Date(created_at))}\ + ${escapeString(short_hash)}\ + ${escapeString(cpu)}\ + ${escapeString(duration)} seconds`; document.querySelector("#ci-table").appendChild(li_node); }); $('table').tablesort(); @@ -318,17 +318,17 @@ $(document).ready((e) => { let repo_link = '' if(badges_data.data[0][8] == 'github') { - repo_link = `https://github.com/${url_params.get('repo')}`; + repo_link = `https://github.com/${escapeString(url_params.get('repo'))}`; } else if(badges_data.data[0][8] == 'gitlab') { - repo_link = `https://gitlab.com/${url_params.get('repo')}`; + repo_link = `https://gitlab.com/${escapeString(url_params.get('repo'))}`; } //${repo_link} - const repo_link_node = `${url_params.get('repo')}` + const repo_link_node = `${escapeString(url_params.get('repo'))}` document.querySelector('#ci-data').insertAdjacentHTML('afterbegin', `Repository:${repo_link_node}`) - document.querySelector('#ci-data').insertAdjacentHTML('afterbegin', `Branch:${url_params.get('branch')}`) - document.querySelector('#ci-data').insertAdjacentHTML('afterbegin', `Workflow:${url_params.get('workflow')}`) - + document.querySelector('#ci-data').insertAdjacentHTML('afterbegin', `Branch:${escapeString(url_params.get('branch'))}`) + document.querySelector('#ci-data').insertAdjacentHTML('afterbegin', `Workflow:${escapeString(url_params.get('workflow'))}`) + displayCITable(badges_data.data, url_params); chart_instance = displayGraph(badges_data.data) displayAveragesTable(badges_data.data) diff --git a/frontend/js/helpers/main.js b/frontend/js/helpers/main.js index 907a95f85..01a5e7e4a 100644 --- a/frontend/js/helpers/main.js +++ b/frontend/js/helpers/main.js @@ -33,18 +33,20 @@ class GMTMenu extends HTMLElement { customElements.define('gmt-menu', GMTMenu); const replaceRepoIcon = (uri) => { - if (uri.startsWith("https://www.github.com") || uri.startsWith("https://github.com")) { - uri = uri.replace("https://www.github.com", ''); - uri = uri.replace("https://github.com", ''); - } else if (uri.startsWith("https://www.bitbucket.com") || uri.startsWith("https://bitbucket.com")) { - uri = uri.replace("https://www.bitbucket.com", ''); - uri = uri.replace("https://bitbucket.com", ''); - } else if (uri.startsWith("https://www.gitlab.com") || uri.startsWith("https://gitlab.com")) { - uri = uri.replace("https://www.gitlab.com", ''); - uri = uri.replace("https://gitlab.com", ''); + const replacements = [ + { pattern: /^https:\/\/(www\.)?github\.com/, replacement: '' }, + { pattern: /^https:\/\/(www\.)?bitbucket\.com/, replacement: '' }, + { pattern: /^https:\/\/(www\.)?gitlab\.com/, replacement: '' } + ]; + + for (const { pattern, replacement } of replacements) { + if (pattern.test(uri)) { + return uri.replace(pattern, replacement); + } } + return uri; -} +}; const showNotification = (message_title, message_text, type='warning') => { $('body') From fe2b8a696d4f04e18669d2c6e067fa3bd112a758 Mon Sep 17 00:00:00 2001 From: Didi Hoffmann <39629+ribalba@users.noreply.github.com> Date: Fri, 4 Aug 2023 08:56:00 +0200 Subject: [PATCH 2/2] Refactored to use URL.host --- frontend/js/helpers/main.js | 33 ++++++++++++++++++++------------- 1 file changed, 20 insertions(+), 13 deletions(-) diff --git a/frontend/js/helpers/main.js b/frontend/js/helpers/main.js index 01a5e7e4a..9a1dfcef5 100644 --- a/frontend/js/helpers/main.js +++ b/frontend/js/helpers/main.js @@ -33,19 +33,26 @@ class GMTMenu extends HTMLElement { customElements.define('gmt-menu', GMTMenu); const replaceRepoIcon = (uri) => { - const replacements = [ - { pattern: /^https:\/\/(www\.)?github\.com/, replacement: '' }, - { pattern: /^https:\/\/(www\.)?bitbucket\.com/, replacement: '' }, - { pattern: /^https:\/\/(www\.)?gitlab\.com/, replacement: '' } - ]; - - for (const { pattern, replacement } of replacements) { - if (pattern.test(uri)) { - return uri.replace(pattern, replacement); - } - } - - return uri; + const url = new URL(uri); + let iconClass = ""; + + switch (url.host) { + case "github.com": + case "www.github.com": + iconClass = "github"; + break; + case "bitbucket.com": + case "www.bitbucket.com": + iconClass = "bitbucket"; + break; + case "gitlab.com": + case "www.gitlab.com": + iconClass = "gitlab"; + break; + default: + return uri; + } + return `` + uri.substring(url.origin.length); }; const showNotification = (message_title, message_text, type='warning') => {