-
Notifications
You must be signed in to change notification settings - Fork 439
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix code scanning alert no. 6: Incomplete string escaping or encoding #3481
Conversation
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 As noted above, I didn't write this code. It was written by GitHub AutoPilot. However, I think this code looks reasonable...it just adds a new .replace()
to handle backslashes properly. This also passes our detailed automated tests in metadata.utils.spec.ts
.
(Technically, I don't think it should be possible to pass backslashes into this regex. But, it's better to be safe. So, I think this looks reasonable.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 Tested locally and found no changes in behavior. This is primarily used in import (via external sources) and object display. Tested those and everything seems to work well.
Successfully created backport PR for |
Successfully created backport PR for |
(NOTE: This PR was autogenerated by Copilot Autofix. I did not write the text below, nor the code changes in this PR)
Fixes https://github.com/DSpace/dspace-angular/security/code-scanning/6
To fix the problem, we need to ensure that backslashes in the
inputKey
are properly escaped before constructing the regular expression. This can be done by adding an additionalreplace
call to escape backslashes. The best way to fix this without changing existing functionality is to modify the line where the regular expression is constructed.inputKeyRegex
is defined to include an additionalreplace
call for escaping backslashes.replace
method uses a regular expression with the global flag to replace all occurrences of backslashes.Suggested fixes powered by Copilot Autofix. Review carefully before merging.