Skip to content

Version identifier #1383

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jun 10, 2025
Merged

Version identifier #1383

merged 3 commits into from
Jun 10, 2025

Conversation

miledivovic
Copy link
Contributor

No description provided.

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Failed Quality Gate failed

Failed conditions
6 Security Hotspots
15.5% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud

github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 10, 2025
View reviewed changes
src/lode/components/AddProperty.vue
if (range.toLowerCase().indexOf("level") !== -1 && this.profile[property]["add"] !== "checkedOptions") {
return false;
}
if (range.toLowerCase().indexOf("https://purl.org/ctdl/terms/IdentifierValue") !== -1) {

Check failure

Code scanning / CodeQL

Incomplete URL substring sanitization High

'
https://purl.org/ctdl/terms/IdentifierValue
Loading
' can be anywhere in the URL, and arbitrary hosts may come before or after it.

Copilot Autofix

AI 4 months ago

To fix the issue, the code should parse the range value as a URL and validate its host explicitly. This ensures that the substring check is performed on the correct part of the URL and prevents malicious URLs from bypassing the validation. The URL class in JavaScript can be used to parse the URL and extract its host for comparison.

The fix involves:

  1. Parsing the range value using the URL class.
  2. Validating the host of the parsed URL against a whitelist or ensuring it matches the expected domain.
  3. Replacing the substring check with a more robust host-based validation.
Suggested changeset 1
src/lode/components/AddProperty.vue

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/lode/components/AddProperty.vue b/src/lode/components/AddProperty.vue
--- a/src/lode/components/AddProperty.vue
+++ b/src/lode/components/AddProperty.vue
@@ -550,4 +550,10 @@
             }
-            if (range.toLowerCase().indexOf("https://purl.org/ctdl/terms/IdentifierValue") !== -1) {
-                return false;
+            try {
+                const parsedUrl = new URL(range);
+                const allowedHost = "purl.org";
+                if (parsedUrl.host !== allowedHost || !parsedUrl.pathname.startsWith("/ctdl/terms/IdentifierValue")) {
+                    return false;
+                }
+            } catch (e) {
+                return false; // Invalid URL
             }
EOF
@@ -550,4 +550,10 @@
}
if (range.toLowerCase().indexOf("https://purl.org/ctdl/terms/IdentifierValue") !== -1) {
return false;
try {
const parsedUrl = new URL(range);
const allowedHost = "purl.org";
if (parsedUrl.host !== allowedHost || !parsedUrl.pathname.startsWith("/ctdl/terms/IdentifierValue")) {
return false;
}
} catch (e) {
return false; // Invalid URL
}
Copilot is powered by AI and may make mistakes. Always verify output.
@miledivovic miledivovic merged commit db6ba06 into master Jun 10, 2025
3 of 5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@miledivovic