Skip to content

Commit

Permalink
fix code scanning alerts (#669)
Browse files Browse the repository at this point in the history 
* fix alerts

* fix alerts

* fix alerts

* fix alerts

* add tests and simplify Glob

* fix import to lowercase file

* removed debugging code
  • Loading branch information
@decyjphr
decyjphr authored Aug 30, 2024
1 parent fc5b693 commit c9247f5
Show file tree
Hide file tree
Showing 4 changed files with 101 additions and 6 deletions.
20 changes: 18 additions & 2 deletions lib/glob.js
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,24 @@
class Glob {
constructor (glob) {
this.glob = glob
const regexptex = glob.replace(/\//g, '\\/').replace(/\?/g, '([^\\/])').replace(/\./g, '\\.').replace(/\*/g, '([^\\/]*)')
this.regexp = new RegExp(`^${regexptex}$`, 'u')

// If not a glob pattern then just match the string.
if (!this.glob.includes('*')) {
this.regexp = new RegExp(`.*${this.glob}.*`, 'u')
return
}
this.regexptText = this.globize(this.glob)
this.regexp = new RegExp(`^${this.regexptText}$`, 'u')
}

globize (glob) {
return glob
.replace(/\\/g, '\\\\') // escape backslashes
.replace(/\//g, '\\/') // escape forward slashes
.replace(/\./g, '\\.') // escape periods
.replace(/\?/g, '([^\\/])') // match any single character except /
.replace(/\*\*/g, '.+') // match any character except /, including /
.replace(/\*/g, '([^\\/]*)') // match any character except /
}

toString () {
Expand Down
4 changes: 2 additions & 2 deletions package-lock.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 3 additions & 2 deletions package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,15 +27,16 @@
"deepmerge": "^4.3.1",
"eta": "^3.0.3",
"js-yaml": "^4.1.0",
"lodash": "^4.17.21",
"node-cron": "^3.0.2",
"octokit": "^3.1.2",
"probot": "^12.3.3"
},
"devDependencies": {
"@eslint/eslintrc": "^2.0.2",
"@travi/any": "^2.1.8",
"check-engine": "^1.10.1",
"eslint": "^8.46.0",
"@eslint/eslintrc": "^2.0.2",
"eslint-config-standard": "^17.1.0",
"eslint-plugin-import": "^2.29.1",
"eslint-plugin-node": "^11.1.0",
Expand Down Expand Up @@ -83,4 +84,4 @@
"."
]
}
}
}
78 changes: 78 additions & 0 deletions test/unit/lib/glob.test.ts
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
const Glob = require('../../../lib/glob')

describe('glob test', function () {

test('Test Glob **', () => {
let pattern = new Glob('**/xss')
let str = 'test/web/xss'
expect(str.search(pattern)>=0).toBeTruthy()
str = 'test/web/xsssss'
expect(str.search(pattern)>=0).toBeFalsy()

pattern = new Glob('**/*.txt')
str = 'sub/3.txt'
expect(str.search(pattern)>=0).toBeTruthy()
str = '/sub1/sub2/sub3/3.txt'
expect(str.search(pattern)>=0).toBeTruthy()

pattern = new Glob('**/csrf-protection-disabled')
str = 'java/csrf-protection-disabled'
expect(str.search(pattern)>=0).toBeTruthy()
str = '/java/test/csrf-protection-disabled'
expect(str.search(pattern)>=0).toBeTruthy()
})

test('Test Glob *', () => {
let str = 'web/xss'
let pattern = new Glob('*/xss')
expect(str.search(pattern)>=0).toBeTruthy()

pattern = new Glob('./[0-9].*')
str = './1.gif'
expect(str.search(pattern)>=0).toBeTruthy()
str = './2.gif'
expect(str.search(pattern)>=0).toBeTruthy()
str = './2.'
expect(str.search(pattern)>=0).toBeTruthy()

pattern = new Glob('*/csrf-protection-disabled')
str = 'java/csrf-protection-disabled'
expect(str.search(pattern)>=0).toBeTruthy()
str = 'rb/csrf-protection-disabled'
expect(str.search(pattern)>=0).toBeTruthy()

pattern = new Glob('*/hardcoded-credential*')
str = 'java/csrf-protection-disabled'
expect(str.search(pattern)>=0).toBeFalsy()
str = 'rb/csrf-protection-disabled'
expect(str.search(pattern)>=0).toBeFalsy()
str = 'cs/hardcoded-credentials'
expect(str.search(pattern)>=0).toBeTruthy()
str = 'java/hardcoded-credential-api-call'
expect(str.search(pattern)>=0).toBeTruthy()

})

test('Test Glob no *', () => {
let pattern = new Glob('csrf-protection-disabled')
let str = 'java/hardcoded-credential-api-call'
expect(str.search(pattern)>=0).toBeFalsy()
str = 'cs/test/hardcoded-credentials'
expect(str.search(pattern)>=0).toBeFalsy()
str = 'rb/csrf-protection-disabled'
expect(str.search(pattern)>=0).toBeTruthy()
str = 'java/csrf-protection-disabled'
expect(str.search(pattern)>=0).toBeTruthy()

pattern = new Glob('csrf')
str = 'java/hardcoded-credential-api-call'
expect(str.search(pattern)>=0).toBeFalsy()
str = 'cs/test/hardcoded-credentials'
expect(str.search(pattern)>=0).toBeFalsy()
str = 'rb/csrf-protection-disabled'
expect(str.search(pattern)>=0).toBeTruthy()
str = 'java/csrf-protection-disabled'
expect(str.search(pattern)>=0).toBeTruthy()
})

})

2 comments on commit c9247f5

@luvsaxena1
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@decyjphr This commit is breaking safe settings. We are currently dealing with an issue where safe settings malfunction and updated repos on the enterprise which are not configured via safe settings.

I can talk more about the issue that we are facing.

@decyjphr
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, sorry for the trouble. Can you open an issue and if there is an example that I can use to recreate the tests it would be great. I made the change after all the tests passed but want to know about your use case.

Please sign in to comment.