update to latest release #1451
update to latest release #1451
Conversation
️✅ There are no secrets present in this pull request anymore.If these secrets were true positive and are still valid, we highly recommend you to revoke them. 🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| catch (result) | ||
| { | ||
| if (typeof result !== 'undefined' && step.outputAs) | ||
| results[job.name][step.outputAs] = result |
Check warning
Code scanning / CodeQL
Prototype-polluting assignment
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 4 months ago
To fix the prototype pollution issue, we should ensure that the keys used in the results object cannot be __proto__, constructor, or prototype. This can be achieved by either using a Map object or by explicitly checking and rejecting these keys.
The best way to fix this without changing existing functionality is to add a check to reject these keys. This approach is straightforward and does not require significant changes to the existing code structure.
| @@ -309,2 +309,5 @@ | ||
| let previousStepName: string = name + '#prerequisites'; | ||
| if (job.name === '__proto__' || job.name === 'constructor' || job.name === 'prototype') { | ||
| throw new Error('Invalid job name: ' + job.name); | ||
| } | ||
| results[job.name] = {}; |
| let interpolateString: RegExpExecArray; | ||
| let result = ''; | ||
| let lastOffset = 0; | ||
| const regexp = /\{([A-Z][A-Z0-9]+)(?:#([A-Z][A-Z0-9]+)*)?\}/gi; |
Check failure
Code scanning / CodeQL
Inefficient regular expression
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 3 months ago
To fix the problem, we need to modify the regular expression to remove the ambiguity that causes exponential backtracking. Specifically, we can replace the [A-Z0-9]+ pattern with a more precise pattern that avoids ambiguity. One way to achieve this is to use a non-capturing group with a negated character class to ensure that each character is matched only once.
- Modify the regular expression on line 154 to avoid exponential backtracking.
- Replace
[A-Z0-9]+with(?:[A-Z0-9]+)to ensure that the pattern matches each character only once.
| @@ -153,3 +153,3 @@ | ||
| let lastOffset = 0; | ||
| const regexp = /\{([A-Z][A-Z0-9]+)(?:#([A-Z][A-Z0-9]+)*)?\}/gi; | ||
| const regexp = /\{([A-Z][A-Z0-9]*)(?:#([A-Z][A-Z0-9]*))?\}/gi; | ||
| while (interpolateString = regexp.exec(obj)) |
| } | ||
| } | ||
|
|
||
| let item = /^[\w0-9\$_]*\??/.exec(expression)[0]; |
Check warning
Code scanning / CodeQL
Overly permissive regular expression range
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 3 days ago
To fix the problem, we need to remove the redundant 0-9 from the character class in the regular expression. The \w character class already includes digits, so we can simplify the regular expression by removing 0-9.
- In the file
packages/core/src/parser/parser.ts, locate the regular expression on line 384. - Modify the regular expression to remove the redundant
0-9from the character class. - Ensure that the functionality remains the same by keeping the rest of the regular expression intact.
| @@ -383,3 +383,3 @@ | ||
|
|
||
| let item = /^[\w0-9\$_]*\??/.exec(expression)[0]; | ||
| let item = /^[\w\$_]*\??/.exec(expression)[0]; | ||
| const itemLength = item.length; |
|
|
||
| if (tag.event && tag.attributes.id) | ||
| { | ||
| result += renderOuter({ type: 'script', content: `addEventListener('load', function(){(function(el){${Object.entries(tag.event).map(e => `el.addEventListener(${JSON.stringify(e[0])}, ${e[1]})`).join(';' + prefix)}})(document.getElementById(${JSON.stringify(tag.attributes.id.value)}))})` }); |
Check warning
Code scanning / CodeQL
Improper code sanitization
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 3 months ago
To fix the problem, we need to ensure that any potentially dangerous characters in the tag.event keys and values are properly escaped before being inserted into the JavaScript code. We can achieve this by creating a function that escapes unsafe characters and using it to sanitize the tag.event keys and values.
- Create a function
escapeUnsafeCharsthat escapes potentially dangerous characters. - Use this function to sanitize the
tag.eventkeys and values before inserting them into the JavaScript code.
| @@ -15,2 +15,21 @@ | ||
|
|
||
| const charMap = { | ||
| '<': '\\u003C', | ||
| '>' : '\\u003E', | ||
| '/': '\\u002F', | ||
| '\\': '\\\\', | ||
| '\b': '\\b', | ||
| '\f': '\\f', | ||
| '\n': '\\n', | ||
| '\r': '\\r', | ||
| '\t': '\\t', | ||
| '\0': '\\0', | ||
| '\u2028': '\\u2028', | ||
| '\u2029': '\\u2029' | ||
| }; | ||
|
|
||
| function escapeUnsafeChars(str) { | ||
| return str.replace(/[<>\b\f\n\r\t\0\u2028\u2029]/g, x => charMap[x]) | ||
| } | ||
|
|
||
| class TagRefImpl<TTag extends string, T extends Tag<TTag> | TypedCustomTag<TTag, U>, U> | ||
| @@ -222,3 +241,3 @@ | ||
| { | ||
| result += renderOuter({ type: 'script', content: `addEventListener('load', function(){(function(el){${Object.entries(tag.event).map(e => `el.addEventListener(${JSON.stringify(e[0])}, ${e[1]})`).join(';' + prefix)}})(document.getElementById(${JSON.stringify(tag.attributes.id.value)}))})` }); | ||
| result += renderOuter({ type: 'script', content: `addEventListener('load', function(){(function(el){${Object.entries(tag.event).map(e => `el.addEventListener(${escapeUnsafeChars(JSON.stringify(e[0]))}, ${escapeUnsafeChars(e[1].toString())})`).join(';' + prefix)}})(document.getElementById(${escapeUnsafeChars(JSON.stringify(tag.attributes.id.value))}))})` }); | ||
| } |
|
|
||
| if (tag.event && tag.attributes.id) | ||
| { | ||
| result += renderOuter({ type: 'script', content: `addEventListener('load', function(){(function(el){${Object.entries(tag.event).map(e => `el.addEventListener(${JSON.stringify(e[0])}, ${e[1]})`).join(';' + prefix)}})(document.getElementById(${JSON.stringify(tag.attributes.id.value)}))})` }); |
Check warning
Code scanning / CodeQL
Improper code sanitization
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 3 months ago
To fix the problem, we need to ensure that any user-controlled input is properly sanitized before being included in the dynamically generated script tag. We can achieve this by escaping potentially dangerous characters in the input. We will create a function to escape unsafe characters and use it to sanitize tag.attributes.id.value before including it in the script tag.
- Create a function
escapeUnsafeCharsto escape potentially dangerous characters. - Use this function to sanitize
tag.attributes.id.valuebefore including it in the script tag.
| @@ -90,2 +90,21 @@ | ||
|
|
||
| const charMap = { | ||
| '<': '\\u003C', | ||
| '>': '\\u003E', | ||
| '/': '\\u002F', | ||
| '\\': '\\\\', | ||
| '\b': '\\b', | ||
| '\f': '\\f', | ||
| '\n': '\\n', | ||
| '\r': '\\r', | ||
| '\t': '\\t', | ||
| '\0': '\\0', | ||
| '\u2028': '\\u2028', | ||
| '\u2029': '\\u2029' | ||
| }; | ||
|
|
||
| function escapeUnsafeChars(str) { | ||
| return str.replace(/[<>\b\f\n\r\t\0\u2028\u2029]/g, x => charMap[x]); | ||
| } | ||
|
|
||
| export function escapeXml(text: string) | ||
| @@ -222,3 +241,3 @@ | ||
| { | ||
| result += renderOuter({ type: 'script', content: `addEventListener('load', function(){(function(el){${Object.entries(tag.event).map(e => `el.addEventListener(${JSON.stringify(e[0])}, ${e[1]})`).join(';' + prefix)}})(document.getElementById(${JSON.stringify(tag.attributes.id.value)}))})` }); | ||
| result += renderOuter({ type: 'script', content: `addEventListener('load', function(){(function(el){${Object.entries(tag.event).map(e => `el.addEventListener(${JSON.stringify(e[0])}, ${e[1]})`).join(';' + prefix)}})(document.getElementById(${escapeUnsafeChars(JSON.stringify(tag.attributes.id.value))}))})` }); | ||
| } |
|
| { | ||
| if (keys.length == i + 1) | ||
| { | ||
| config[key] = newConfig; |
Check warning
Code scanning / CodeQL
Prototype-polluting assignment
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI about 1 month ago
To fix the prototype pollution vulnerability, we need to ensure that the key parameter does not contain any values that could modify the Object.prototype. We can achieve this by checking if the key contains any forbidden properties like __proto__, constructor, or prototype before using it to modify the config object.
| @@ -271,2 +271,5 @@ | ||
| const keys = key.split('.'); | ||
| if (keys.includes('__proto__') || keys.includes('constructor') || keys.includes('prototype')) { | ||
| throw new Error('Invalid key'); | ||
| } | ||
| keys.reduce(function (config, key, i) |
| // console.log(config); | ||
| } | ||
| else if (typeof (config[key]) == 'undefined') | ||
| config[key] = {}; |
Check warning
Code scanning / CodeQL
Prototype-polluting assignment
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI about 1 month ago
To fix the prototype pollution vulnerability, we need to ensure that the key value cannot be used to modify Object.prototype. One way to achieve this is by checking if any part of the key is __proto__, constructor, or prototype and rejecting such inputs. This can be done by adding a validation step before using the key to modify the config object.
| @@ -271,2 +271,5 @@ | ||
| const keys = key.split('.'); | ||
| if (keys.some(k => k === '__proto__' || k === 'constructor' || k === 'prototype')) { | ||
| throw new Error('Invalid key'); | ||
| } | ||
| keys.reduce(function (config, key, i) |
| return; | ||
| if (typeof config[key] !== 'undefined' && keys.length == i + 1) | ||
| { | ||
| delete config[key]; |
Check warning
Code scanning / CodeQL
Prototype-polluting assignment
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI about 1 month ago
To fix the prototype pollution vulnerability, we need to ensure that the key parameter cannot be __proto__, constructor, or prototype. This can be done by adding a check at the beginning of the delete method to reject these values. Additionally, we should use a safer data structure like Map to store the configuration, but for minimal changes, we will implement the key validation.
| @@ -299,2 +299,5 @@ | ||
| { | ||
| if (key === '__proto__' || key === 'constructor' || key === 'prototype') { | ||
| throw new Error('Invalid key'); | ||
| } | ||
| const keys = key.split('.'); |
| const formatter = formatters.resolve<(new (...args: unknown[]) => Formatter<unknown>)>(`#${expression.formatter}`); | ||
| if (typeof formatter === 'function' && formatter.prototype instanceof WatcherFormatter) | ||
| if (result.settings) | ||
| result.getter = (target, watcher) => { const value = source(target, watcher); return (result.formatterInstance || (result.formatterInstance = new formatter(result.settings(target, watcher), watcher))).format(value instanceof ObservableObject ? value.target : value) }; |
Check failure
Code scanning / CodeQL
Unvalidated dynamic method call
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 3 days ago
To fix the problem, we need to add a more robust validation for the formatter before it is used. Specifically, we should ensure that the formatter is a function and, if it is to be instantiated, that it is a valid constructor. We can achieve this by using a combination of typeof checks and instanceof checks.
- Add a check to ensure that
formatteris a function. - Add a check to ensure that
formatteris a valid constructor if it is to be instantiated. - Modify the code to handle cases where the
formatteris not valid by returning an appropriate error message or taking other corrective actions.
| @@ -249,9 +249,32 @@ | ||
| const formatter = expression.formatter; | ||
| if (typeof formatter === 'function' && formatter.prototype instanceof WatcherFormatter) | ||
| if (result.settings) | ||
| result.getter = (target, watcher) => { const value = source(target, watcher); return (result.formatterInstance || (result.formatterInstance = new formatter(result.settings(target, watcher), watcher))).format(value instanceof ObservableObject ? value.target : value) }; | ||
| else | ||
| result.getter = (target, watcher) => { const value = source(target, watcher); return (result.formatterInstance || (result.formatterInstance = new formatter(watcher))).format(value instanceof ObservableObject ? value.target : value) }; | ||
| else | ||
| result.getter = (target, watcher) => { const value = source(target, watcher); return (result.formatterInstance || (result.formatterInstance = new formatter(result.settings?.(target, watcher)))).format(value instanceof ObservableObject ? value.target : value) }; | ||
| if (typeof formatter === 'function' && formatter.prototype instanceof WatcherFormatter) { | ||
| if (result.settings) { | ||
| result.getter = (target, watcher) => { | ||
| const value = source(target, watcher); | ||
| if (typeof formatter === 'function' && formatter.prototype instanceof WatcherFormatter) { | ||
| return (result.formatterInstance || (result.formatterInstance = new formatter(result.settings(target, watcher), watcher))).format(value instanceof ObservableObject ? value.target : value); | ||
| } else { | ||
| throw new Error('Invalid formatter function'); | ||
| } | ||
| }; | ||
| } else { | ||
| result.getter = (target, watcher) => { | ||
| const value = source(target, watcher); | ||
| if (typeof formatter === 'function' && formatter.prototype instanceof WatcherFormatter) { | ||
| return (result.formatterInstance || (result.formatterInstance = new formatter(watcher))).format(value instanceof ObservableObject ? value.target : value); | ||
| } else { | ||
| throw new Error('Invalid formatter function'); | ||
| } | ||
| }; | ||
| } | ||
| } else { | ||
| result.getter = (target, watcher) => { | ||
| const value = source(target, watcher); | ||
| if (typeof formatter === 'function') { | ||
| return (result.formatterInstance || (result.formatterInstance = new formatter(result.settings?.(target, watcher)))).format(value instanceof ObservableObject ? value.target : value); | ||
| } else { | ||
| throw new Error('Invalid formatter function'); | ||
| } | ||
| }; | ||
| } | ||
| } |
| if (result.settings) | ||
| result.getter = (target, watcher) => { const value = source(target, watcher); return (result.formatterInstance || (result.formatterInstance = new formatter(result.settings(target, watcher), watcher))).format(value instanceof ObservableObject ? value.target : value) }; | ||
| else | ||
| result.getter = (target, watcher) => { const value = source(target, watcher); return (result.formatterInstance || (result.formatterInstance = new formatter(watcher))).format(value instanceof ObservableObject ? value.target : value) }; |
Check failure
Code scanning / CodeQL
Unvalidated dynamic method call
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 3 days ago
To fix the problem, we need to ensure that the formatter is a valid function and is an own property of the expression object. We can achieve this by using Object.prototype.hasOwnProperty.call to check if formatter is an own property and typeof to check if it is a function. This will prevent any unexpected method calls and runtime exceptions.
| @@ -249,3 +249,3 @@ | ||
| const formatter = expression.formatter; | ||
| if (typeof formatter === 'function' && formatter.prototype instanceof WatcherFormatter) | ||
| if (Object.prototype.hasOwnProperty.call(expression, 'formatter') && typeof formatter === 'function' && formatter.prototype instanceof WatcherFormatter) | ||
| if (result.settings) |
| else | ||
| result.getter = (target, watcher) => { const value = source(target, watcher); return (result.formatterInstance || (result.formatterInstance = new formatter(watcher))).format(value instanceof ObservableObject ? value.target : value) }; | ||
| else | ||
| result.getter = (target, watcher) => { const value = source(target, watcher); return (result.formatterInstance || (result.formatterInstance = new formatter(result.settings?.(target, watcher)))).format(value instanceof ObservableObject ? value.target : value) }; |
Check failure
Code scanning / CodeQL
Unvalidated dynamic method call
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 3 days ago
To fix the problem, we need to ensure that the formatter variable is validated more thoroughly before it is used. Specifically, we should:
- Check if
formatteris an own property of theformattersobject to ensure it is a valid formatter function. - Verify that
formatteris indeed a function before invoking it.
This can be achieved by modifying the code in packages/core/src/observables/object.ts to include these additional checks.
| @@ -249,9 +249,9 @@ | ||
| const formatter = expression.formatter; | ||
| if (typeof formatter === 'function' && formatter.prototype instanceof WatcherFormatter) | ||
| if (formatters.hasOwnProperty(formatter) && typeof formatters[formatter] === 'function' && formatters[formatter].prototype instanceof WatcherFormatter) | ||
| if (result.settings) | ||
| result.getter = (target, watcher) => { const value = source(target, watcher); return (result.formatterInstance || (result.formatterInstance = new formatter(result.settings(target, watcher), watcher))).format(value instanceof ObservableObject ? value.target : value) }; | ||
| result.getter = (target, watcher) => { const value = source(target, watcher); return (result.formatterInstance || (result.formatterInstance = new formatters[formatter](result.settings(target, watcher), watcher))).format(value instanceof ObservableObject ? value.target : value) }; | ||
| else | ||
| result.getter = (target, watcher) => { const value = source(target, watcher); return (result.formatterInstance || (result.formatterInstance = new formatter(watcher))).format(value instanceof ObservableObject ? value.target : value) }; | ||
| result.getter = (target, watcher) => { const value = source(target, watcher); return (result.formatterInstance || (result.formatterInstance = new formatters[formatter](watcher))).format(value instanceof ObservableObject ? value.target : value) }; | ||
| else | ||
| result.getter = (target, watcher) => { const value = source(target, watcher); return (result.formatterInstance || (result.formatterInstance = new formatter(result.settings?.(target, watcher)))).format(value instanceof ObservableObject ? value.target : value) }; | ||
| result.getter = (target, watcher) => { const value = source(target, watcher); return (result.formatterInstance || (result.formatterInstance = new formatters[formatter](result.settings?.(target, watcher)))).format(value instanceof ObservableObject ? value.target : value) }; | ||
| } |
|
|
||
| // let formatterInstance: ReversibleFormatter<unknown, unknown>; | ||
| if (previousSetter) | ||
| setter = (target: T, value: TValue) => previousSetter.setter(target, ((formatterGetter.formatterInstance || (formatterGetter.formatterInstance = new formatter(formatterGetter.settings?.(target, null)))) as ReversibleFormatter<unknown, unknown>).unformat(value)); |
Check failure
Code scanning / CodeQL
Unvalidated dynamic method call
|
|
||
| public parseString(expression: string, start: string, parseFormatter: boolean) | ||
| { | ||
| const evaluatedRegex = new RegExp("^" + start + "((?:[^\\" + start + "]|\\.)*)" + start).exec(expression); |
Check failure
Code scanning / CodeQL
Regular expression injection
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 3 days ago
To fix the problem, we need to sanitize the start parameter before using it to construct the regular expression. The best way to do this is by using a sanitization function such as _.escapeRegExp from the lodash library. This function escapes special characters in the input string, making it safe to use in a regular expression.
- Install the lodash package if it is not already installed.
- Import the
_.escapeRegExpfunction from lodash. - Use
_.escapeRegExpto sanitize thestartparameter before constructing the regular expression.
| @@ -10,3 +10,3 @@ | ||
| import { formatters } from '../formatters/index.js'; | ||
|
|
||
| import _ from 'lodash'; | ||
|
|
||
| @@ -551,3 +551,4 @@ | ||
| { | ||
| const evaluatedRegex = new RegExp("^" + start + "((?:[^\\" + start + "]|\\.)*)" + start).exec(expression); | ||
| const safeStart = _.escapeRegExp(start); | ||
| const evaluatedRegex = new RegExp("^" + safeStart + "((?:[^\\" + safeStart + "]|\\.)*)" + safeStart).exec(expression); | ||
| // console.log(arguments); |
| @@ -63,3 +63,4 @@ | ||
| "debug": "^4.3.7", | ||
| "reflect-metadata": "^0.2.2" | ||
| "reflect-metadata": "^0.2.2", | ||
| "lodash": "^4.17.21" | ||
| }, |
| Package | Version | Security advisories |
| lodash (npm) | 4.17.21 | None |
feat: strongly type Injectable args BREAKING CHANGE: Injectable require TArgs
npenin
had a problem deploying
to
github-pages
GitHub Actions
Failure
|
No description provided.