mirror of
https://github.com/hedgedoc/hedgedoc.git
synced 2024-12-22 23:32:14 +00:00
fix: Solve codeql security issues
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
This commit is contained in:
parent
711b520421
commit
7f6da650d1
9 changed files with 17 additions and 32 deletions
|
@ -151,6 +151,9 @@ export abstract class WindowPostMessageCommunicator<
|
|||
* @return {@link true} if the event was processed.
|
||||
*/
|
||||
protected handleEvent(event: MessageEvent<MessagePayloadWithUuid<RECEIVE_TYPE>>): void {
|
||||
if (event.origin !== this.targetOrigin) {
|
||||
return
|
||||
}
|
||||
Optional.ofNullable(event.data)
|
||||
.filter((value) => value.uuid === this.uuid)
|
||||
.ifPresent((payload) => {
|
||||
|
|
|
@ -7,12 +7,7 @@
|
|||
import { GistMarkdownExtension } from './gist-markdown-extension'
|
||||
import type { RegexOptions } from '../../../external-types/markdown-it-regex/interface'
|
||||
|
||||
const protocolRegex = /(?:http(?:s)?:\/\/)?/
|
||||
const domainRegex = /(?:gist\.github\.com\/)/
|
||||
const idRegex = /(\w+\/\w+)/
|
||||
const tailRegex = /(?:[./?#].*)?/
|
||||
const gistUrlRegex = new RegExp(`(?:${protocolRegex.source}${domainRegex.source}${idRegex.source}${tailRegex.source})`)
|
||||
const linkRegex = new RegExp(`^${gistUrlRegex.source}$`, 'i')
|
||||
const linkRegex = /^(?:https?:\/\/)?gist\.github\.com\/(\w+\/\w+)(?:[./?#].*)?$/i
|
||||
|
||||
/**
|
||||
* Replacer for gist links.
|
||||
|
|
|
@ -10,8 +10,8 @@ exports[`VimeoFrame renders a click shield 1`] = `
|
|||
<iframe
|
||||
allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture"
|
||||
class="embed-responsive-item"
|
||||
src="https://player.vimeo.com/video/valid vimeo id?autoplay=1"
|
||||
title="vimeo video of valid vimeo id"
|
||||
src="https://player.vimeo.com/video/validVimeoId?autoplay=1"
|
||||
title="vimeo video of validVimeoId"
|
||||
/>
|
||||
</span>
|
||||
</span>
|
||||
|
|
|
@ -9,14 +9,8 @@ import type MarkdownIt from 'markdown-it'
|
|||
import markdownItRegex from 'markdown-it-regex'
|
||||
import type { RegexOptions } from '../../../external-types/markdown-it-regex/interface'
|
||||
|
||||
const protocolRegex = /(?:http(?:s)?:\/\/)?/
|
||||
const domainRegex = /(?:player\.)?(?:vimeo\.com\/)(?:(?:channels|album|ondemand|groups)\/\w+\/)?(?:video\/)?/
|
||||
const idRegex = /(\d{6,11})/
|
||||
const tailRegex = /(?:[?#].*)?/
|
||||
const vimeoVideoUrlRegex = new RegExp(
|
||||
`(?:${protocolRegex.source}${domainRegex.source}${idRegex.source}${tailRegex.source})`
|
||||
)
|
||||
const linkRegex = new RegExp(`^${vimeoVideoUrlRegex.source}$`, 'i')
|
||||
const linkRegex =
|
||||
/^(?:https?:\/\/)?(?:player\.)?vimeo\.com\/(?:(?:channels|album|ondemand|groups)\/\w+\/)?(?:video\/)?(\d{6,11})(?:[?#].*)?$/i
|
||||
|
||||
const replaceVimeoLink: RegexOptions = {
|
||||
name: 'vimeo-link',
|
||||
|
|
|
@ -19,7 +19,7 @@ describe('VimeoFrame', () => {
|
|||
})
|
||||
|
||||
it('renders a click shield', () => {
|
||||
const view = render(<VimeoFrame id={'valid vimeo id'} />)
|
||||
const view = render(<VimeoFrame id={'validVimeoId'} />)
|
||||
expect(view.container).toMatchSnapshot()
|
||||
})
|
||||
})
|
||||
|
|
|
@ -10,8 +10,8 @@ exports[`YoutubeFrame renders a click shield 1`] = `
|
|||
<iframe
|
||||
allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture"
|
||||
class="embed-responsive-item"
|
||||
src="https://www.youtube-nocookie.com/embed/valid youtube id?autoplay=1"
|
||||
title="youtube video of valid youtube id"
|
||||
src="https://www.youtube-nocookie.com/embed/validYoutubeId?autoplay=1"
|
||||
title="youtube video of validYoutubeId"
|
||||
/>
|
||||
</span>
|
||||
</span>
|
||||
|
|
|
@ -34,17 +34,17 @@ describe('Replace youtube link', () => {
|
|||
})
|
||||
|
||||
it("won't detect an invalid(too short) youtube id", () => {
|
||||
const invalidUrl = '${origin}?v=1'
|
||||
const invalidUrl = `${origin}?v=1`
|
||||
expect(markdownIt.renderInline(invalidUrl)).toBe(invalidUrl)
|
||||
})
|
||||
|
||||
it("won't detect an invalid(invalid characters) youtube id", () => {
|
||||
const invalidUrl = '${origin}?v= /!#/'
|
||||
const invalidUrl = `${origin}?v= /!#/`
|
||||
expect(markdownIt.renderInline(invalidUrl)).toBe(invalidUrl)
|
||||
})
|
||||
|
||||
it("won't detect an invalid(too long) youtube id", () => {
|
||||
const invalidUrl = '${origin}?v=111111111111111111111111111111111'
|
||||
const invalidUrl = `${origin}?v=111111111111111111111111111111111`
|
||||
expect(markdownIt.renderInline(invalidUrl)).toBe(invalidUrl)
|
||||
})
|
||||
})
|
||||
|
|
|
@ -9,15 +9,8 @@ import markdownItRegex from 'markdown-it-regex'
|
|||
import type MarkdownIt from 'markdown-it'
|
||||
import type { RegexOptions } from '../../../external-types/markdown-it-regex/interface'
|
||||
|
||||
const protocolRegex = /(?:http(?:s)?:\/\/)?/
|
||||
const subdomainRegex = /(?:www.)?/
|
||||
const pathRegex = /(?:youtube(?:-nocookie)?\.com\/(?:[^\\/]+\/.+\/|(?:v|e(?:mbed)?)\/|.*[?&]v=)|youtu\.be\/)/
|
||||
const idRegex = /([\w-]{11})/
|
||||
const tailRegex = /(?:[?&#].*)?/
|
||||
const youtubeVideoUrlRegex = new RegExp(
|
||||
`(?:${protocolRegex.source}${subdomainRegex.source}${pathRegex.source}${idRegex.source}${tailRegex.source})`
|
||||
)
|
||||
const linkRegex = new RegExp(`^${youtubeVideoUrlRegex.source}$`, 'i')
|
||||
const linkRegex =
|
||||
/^(?:https?:\/\/)?(?:www.)?(?:youtube(?:-nocookie)?\.com\/(?:[^\\/]+\/.+\/|(?:v|e(?:mbed)?)\/|.*[?&]v=)|youtu\.be\/)([\w-]{11})(?:[?&#].*)?$/i
|
||||
|
||||
/**
|
||||
* Replacer for youtube links.
|
||||
|
|
|
@ -19,7 +19,7 @@ describe('YoutubeFrame', () => {
|
|||
})
|
||||
|
||||
it('renders a click shield', () => {
|
||||
const view = render(<YouTubeFrame id={'valid youtube id'} />)
|
||||
const view = render(<YouTubeFrame id={'validYoutubeId'} />)
|
||||
expect(view.container).toMatchSnapshot()
|
||||
})
|
||||
})
|
||||
|
|
Loading…
Reference in a new issue