From ef0f8af2b5eb0d66280afbad729ad06bd768abae Mon Sep 17 00:00:00 2001
From: Alex Brozych <alex.brozych@punksecurity.co.uk>
Date: Fri, 23 Feb 2024 12:11:04 +0000
Subject: [PATCH] feat: Fix improper renderering of context

feat: Use TextNodes instead of innerHTML to safely inject the context / extra_context in to the hover menu
feat: Set git to trust all directories to mitigate the issue of trugglehog and gitleaks being unable to scan repos with different ownership than that of the current user
---
 dockerfile    |  4 ++++
 template.html | 20 +++++++++++++++-----
 2 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/dockerfile b/dockerfile
index db9c15b..8189cd1 100644
--- a/dockerfile
+++ b/dockerfile
@@ -20,6 +20,10 @@ WORKDIR /app
 
 COPY . .
 
+# This is necessary to fix "dubious ownership" issues you can encounter
+# when scanning local repos
+RUN git config --global safe.directory '*'
+
 # Exports
 ENV SECRETMAGPIE_LISTEN_ADDR=0.0.0.0:8080
 ENV SM_COMMAND "docker run punksecurity/secret-magpie --" 
diff --git a/template.html b/template.html
index b81bb7f..6719cd1 100644
--- a/template.html
+++ b/template.html
@@ -164,15 +164,26 @@
                             <span class"orange">${data.secret}</span>
                         </p>
                         <p>
-                            <span><span class="orange">Context: </span><code>${data.context.split('\\n').join('</br>')}</code></span>
+                            <span><span class="orange">Context: </span><code id="context-code"></code></span>
                         </p>
                         <p>
                             <span class="orange">Extra Context: </span>
-                            <code>
-                                ${data.extra_context.split('\n').join('</br>')}
-                            </code>
+                            <code id="extra-context-code"></code>
                         </p>
                     `;
+
+                let context = eGui.querySelector("#context-code");
+                let extra_context = eGui.querySelector("#context-code");
+
+                for (let line of data.context.split('\n')) {
+                    context.appendChild(document.createTextNode(line));
+                    context.appendChild(document.createElement('br'));
+                }
+
+                for (let line of data.extra_context.split('\n')) {
+                    extra_context.appendChild(document.createTextNode(line));
+                    extra_context.appendChild(document.createElement('br'));
+                }
             }
 
             getGui() {
@@ -869,7 +880,6 @@
             background-color: #1d2024;
             cursor: pointer;
         }
-
     </style>
 </head>