security: fix CodeQL + add workflow

mowens3 · mowens3 · commit f54b4f1227c1 · 2026-01-01T14:02:39.000-08:00
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,33 @@
+name: CodeQL
+
+on:
+  push:
+    branches: ["master"]
+  pull_request:
+    branches: ["master"]
+  schedule:
+    - cron: "0 3 * * 0"
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["javascript-typescript"]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
diff --git a/src/media.ts b/src/media.ts
@@ -233,17 +233,54 @@ function getVideoEmbedUrl(url: string): string | undefined {
 }
 
 export function parseDrupalMediaTag(html: string): string | null {
-  const match = html.match(/data-entity-uuid=[\"']([^\"']+)[\"']/)
-  return match ? match[1] : null
+  const attr = "data-entity-uuid="
+  const start = html.indexOf(attr)
+  if (start === -1) {
+    return null
+  }
+
+  let index = start + attr.length
+  while (index < html.length && /\s/.test(html[index])) {
+    index += 1
+  }
+
+  const quote = html[index]
+  if (quote !== "\"" && quote !== "'") {
+    return null
+  }
+
+  const end = html.indexOf(quote, index + 1)
+  if (end === -1) {
+    return null
+  }
+
+  const uuid = html.slice(index + 1, end)
+  return uuid || null
 }
 
 export function extractEmbeddedMediaUuids(html: string): string[] {
-  const regex = /<drupal-media[^>]*data-entity-uuid=[\"']([^\"']+)[\"'][^>]*>/g
   const uuids: string[] = []
-  let match
+  const tagStart = "<drupal-media"
+  let index = 0
+
+  while (index < html.length) {
+    const start = html.indexOf(tagStart, index)
+    if (start === -1) {
+      break
+    }
+
+    const end = html.indexOf(">", start)
+    if (end === -1) {
+      break
+    }
+
+    const tag = html.slice(start, end + 1)
+    const uuid = parseDrupalMediaTag(tag)
+    if (uuid) {
+      uuids.push(uuid)
+    }
 
-  while ((match = regex.exec(html)) !== null) {
-    uuids.push(match[1])
+    index = end + 1
   }
 
   return uuids
diff --git a/src/url.ts b/src/url.ts
@@ -67,9 +67,11 @@ export function getImageStyleUrl(originalUrl: string, style: string, options?: {
     return resolved.replace(/\/styles\/[^/]+\//, `/styles/${style}/`)
   }
 
-  const filesMatch = resolved.match(/(.+\/files\/)(.+)$/)
-  if (filesMatch) {
-    const [, basePath, filePath] = filesMatch
+  const marker = "/files/"
+  const markerIndex = resolved.indexOf(marker)
+  if (markerIndex !== -1) {
+    const basePath = resolved.slice(0, markerIndex + marker.length)
+    const filePath = resolved.slice(markerIndex + marker.length)
     return `${basePath}styles/${style}/public/${filePath}`
   }
 

Original file line number	Diff line number	Diff line change
`@@ -67,9 +67,11 @@ export function getImageStyleUrl(originalUrl: string, style: string, options?: {`
`67`	`67`	return resolved.replace(/\/styles\/[^/]+\//, `/styles/${style}/`)
`68`	`68`	`}`
`69`	`69`
`70`		`- const filesMatch = resolved.match(/(.+\/files\/)(.+)$/)`
`71`		`- if (filesMatch) {`
`72`		`- const [, basePath, filePath] = filesMatch`
	`70`	`+ const marker = "/files/"`
	`71`	`+ const markerIndex = resolved.indexOf(marker)`
	`72`	`+ if (markerIndex !== -1) {`
	`73`	`+ const basePath = resolved.slice(0, markerIndex + marker.length)`
	`74`	`+ const filePath = resolved.slice(markerIndex + marker.length)`
`73`	`75`	return `${basePath}styles/${style}/public/${filePath}`
`74`	`76`	`}`
`75`	`77`