Skip to content

Potential fix for code scanning alert no. 53: Client-side cross-site scripting #579

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rajbos merged 2 commits into from
Apr 10, 2026
+59 −1
Merged

Potential fix for code scanning alert no. 53: Client-side cross-site scripting #579

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e7b066b
Potential fix for code scanning alert no. 53: Client-side cross-site …
rajbos Apr 10, 2026
4e13c9a
fix: sanitize RepoPrDetail fields correctly in sanitizeRepoPrStatsData
rajbos Apr 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 59 additions & 1 deletion vscode-extension/src/webview/usage/main.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -436,6 +436,64 @@ function setupTabs(): void {
});
}

function toSafeNumber(value: unknown): number {
const n = Number(value);
return Number.isFinite(n) && n >= 0 ? n : 0;
}

function toSafeHttpUrl(value: unknown): string {
const raw = typeof value === 'string' ? value.trim() : '';
try {
const parsed = new URL(raw);
if (parsed.protocol === 'http:' || parsed.protocol === 'https:') {
return parsed.toString();
}
} catch {
// Ignore invalid URL and fall back to placeholder.
}
return '#';
}

function sanitizeRepoPrStatsData(input: unknown): RepoPrStatsResult {
const src = (input && typeof input === 'object') ? (input as Record<string, unknown>) : {};
const repos = Array.isArray(src.repos) ? src.repos : [];
return {
authenticated: Boolean(src.authenticated),
since: typeof src.since === 'string' || typeof src.since === 'number' ? src.since : Date.now(),
repos: repos.map((repo) => {
const r = (repo && typeof repo === 'object') ? (repo as Record<string, unknown>) : {};
const aiDetails = Array.isArray(r.aiDetails) ? r.aiDetails : [];
return {
repoUrl: toSafeHttpUrl(r.repoUrl),
owner: escapeHtml(typeof r.owner === 'string' ? r.owner : ''),
repo: escapeHtml(typeof r.repo === 'string' ? r.repo : ''),
error: typeof r.error === 'string' ? escapeHtml(r.error) : '',
totalPrs: toSafeNumber(r.totalPrs),
aiAuthoredPrs: toSafeNumber(r.aiAuthoredPrs),
aiReviewRequestedPrs: toSafeNumber(r.aiReviewRequestedPrs),
aiDetails: aiDetails.map((d) => {
const detail = (d && typeof d === 'object') ? (d as Record<string, unknown>) : {};
const validAiTypes = ['copilot', 'claude', 'openai', 'other-ai'] as const;
const validRoles = ['author', 'reviewer-requested'] as const;
const aiType = validAiTypes.includes(detail.aiType as typeof validAiTypes[number])
? detail.aiType as typeof validAiTypes[number]
: 'other-ai';
const role = validRoles.includes(detail.role as typeof validRoles[number])
? detail.role as typeof validRoles[number]
: 'author';
return {
number: toSafeNumber(detail.number),
title: escapeHtml(typeof detail.title === 'string' ? detail.title : ''),
url: toSafeHttpUrl(detail.url),
aiType,
role,
};
}),
};
}),
} as RepoPrStatsResult;
}

function renderReposPrContent(data: RepoPrStatsResult): string {
const sinceDate = escapeHtml(new Date(data.since).toLocaleDateString());
if (!data.authenticated) {
Expand Down Expand Up @@ -1356,7 +1414,7 @@ window.addEventListener('message', (event) => {
break;
}
case 'repoPrStatsLoaded': {
repoPrStatsData = message.data as RepoPrStatsResult;
repoPrStatsData = sanitizeRepoPrStatsData(message.data);
// Reset the loaded flag when not authenticated so re-authenticating and clicking the tab
// again triggers a fresh fetch instead of showing the stale "not authenticated" placeholder.
if (!repoPrStatsData.authenticated) {
Expand Down
Loading