Skip to content

Commit f54b4f1

Browse files
committed
security: fix CodeQL + add workflow
1 parent 88dc902 commit f54b4f1

File tree

3 files changed

+81
-9
lines changed

3 files changed

+81
-9
lines changed

.github/workflows/codeql.yml

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
name: CodeQL
2+
3+
on:
4+
push:
5+
branches: ["master"]
6+
pull_request:
7+
branches: ["master"]
8+
schedule:
9+
- cron: "0 3 * * 0"
10+
11+
jobs:
12+
analyze:
13+
name: Analyze
14+
runs-on: ubuntu-latest
15+
permissions:
16+
actions: read
17+
contents: read
18+
security-events: write
19+
strategy:
20+
fail-fast: false
21+
matrix:
22+
language: ["javascript-typescript"]
23+
24+
steps:
25+
- uses: actions/checkout@v4
26+
27+
- name: Initialize CodeQL
28+
uses: github/codeql-action/init@v3
29+
with:
30+
languages: ${{ matrix.language }}
31+
32+
- name: Perform CodeQL Analysis
33+
uses: github/codeql-action/analyze@v3

src/media.ts

Lines changed: 43 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -233,17 +233,54 @@ function getVideoEmbedUrl(url: string): string | undefined {
233233
}
234234

235235
export function parseDrupalMediaTag(html: string): string | null {
236-
const match = html.match(/data-entity-uuid=[\"']([^\"']+)[\"']/)
237-
return match ? match[1] : null
236+
const attr = "data-entity-uuid="
237+
const start = html.indexOf(attr)
238+
if (start === -1) {
239+
return null
240+
}
241+
242+
let index = start + attr.length
243+
while (index < html.length && /\s/.test(html[index])) {
244+
index += 1
245+
}
246+
247+
const quote = html[index]
248+
if (quote !== "\"" && quote !== "'") {
249+
return null
250+
}
251+
252+
const end = html.indexOf(quote, index + 1)
253+
if (end === -1) {
254+
return null
255+
}
256+
257+
const uuid = html.slice(index + 1, end)
258+
return uuid || null
238259
}
239260

240261
export function extractEmbeddedMediaUuids(html: string): string[] {
241-
const regex = /<drupal-media[^>]*data-entity-uuid=[\"']([^\"']+)[\"'][^>]*>/g
242262
const uuids: string[] = []
243-
let match
263+
const tagStart = "<drupal-media"
264+
let index = 0
265+
266+
while (index < html.length) {
267+
const start = html.indexOf(tagStart, index)
268+
if (start === -1) {
269+
break
270+
}
271+
272+
const end = html.indexOf(">", start)
273+
if (end === -1) {
274+
break
275+
}
276+
277+
const tag = html.slice(start, end + 1)
278+
const uuid = parseDrupalMediaTag(tag)
279+
if (uuid) {
280+
uuids.push(uuid)
281+
}
244282

245-
while ((match = regex.exec(html)) !== null) {
246-
uuids.push(match[1])
283+
index = end + 1
247284
}
248285

249286
return uuids

src/url.ts

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -67,9 +67,11 @@ export function getImageStyleUrl(originalUrl: string, style: string, options?: {
6767
return resolved.replace(/\/styles\/[^/]+\//, `/styles/${style}/`)
6868
}
6969

70-
const filesMatch = resolved.match(/(.+\/files\/)(.+)$/)
71-
if (filesMatch) {
72-
const [, basePath, filePath] = filesMatch
70+
const marker = "/files/"
71+
const markerIndex = resolved.indexOf(marker)
72+
if (markerIndex !== -1) {
73+
const basePath = resolved.slice(0, markerIndex + marker.length)
74+
const filePath = resolved.slice(markerIndex + marker.length)
7375
return `${basePath}styles/${style}/public/${filePath}`
7476
}
7577

0 commit comments

Comments
 (0)