Merge pull request #816 from snyk/fix/ghsa-snippet-rule

fix: code snippet rule injection for ghsa
snyk · Aug 13, 2024 · 8afe61b · 8afe61b
2 parents 465a6db + 970d89d
commit 8afe61b
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 2 deletions.
diff --git a/lib/common/filter/filter-rules-loading.ts b/lib/common/filter/filter-rules-loading.ts
@@ -186,8 +186,10 @@ function injectRulesAtRuntime(
         filters.private.filter(
           (entry) =>
             entry.method === 'GET' &&
-            SNIPPETS_CODE_SCM_ORIGINS.filter((origin) =>
-              entry.origin?.includes(`{${origin}}`),
+            SNIPPETS_CODE_SCM_ORIGINS.filter(
+              (origin) =>
+                entry.origin?.includes(`{${origin}}`) &&
+                entry.auth?.token != '${JWT_TOKEN}',
             ).length > 0,
         )[0],
       );
@@ -204,6 +206,9 @@ function injectRulesAtRuntime(
           templateGET.path = '*/info/refs*';
           templateGETForSnippets.path = '/repos/:name/:repo/contents/:path';
           templatePOST.path = '*/git-upload-pack';
+          // if(templateGETForSnippets.auth && templateGETForSnippets.auth.token && templateGETForSnippets.auth.token === '${JWT_TOKEN}'){
+          //   templateGETForSnippets.auth.token === '${GHSA_ACCESS_TOKEN}'
+          // }
           break;
         case 'GITLAB':
           templateGET.path = '*/info/refs*';

diff --git a/test/unit/runtime-rules-hotloading.test.ts b/test/unit/runtime-rules-hotloading.test.ts
@@ -272,6 +272,13 @@ describe('filter Rules Loading', () => {
             (x) => x.origin.includes('x-access-token') && x.auth,
           ),
         ).toHaveLength(0);
+        expect(
+          loadedRules[folder].private.filter(
+            (x) =>
+              x.auth?.token === '${JWT_TOKEN}' &&
+              x['//'] === 'needed to load code snippets',
+          ),
+        ).toHaveLength(0);
       }
       expect(loadedRules).toMatchSnapshot();
       delete process.env.ACCEPT_GIT;