cleanup github badge validation

joaomoreno · joaomoreno · commit 600505a0655b · 2020-06-15T09:41:46.000+02:00
diff --git a/src/package.ts b/src/package.ts
@@ -171,16 +171,16 @@ const TrustedSVGSources = [
 	'www.versioneye.com'
 ];
 
-function isHostTrusted(host: string): boolean {
-	return TrustedSVGSources.indexOf(host.toLowerCase()) > -1;
-}
-
 function isGitHubRepository(repository: string): boolean {
 	return /^https:\/\/github\.com\/|^git@github\.com:/.test(repository || '');
 }
 
 function isGitHubBadge(href: string): boolean {
-	return isGitHubRepository(href) && /[A-Za-z0-9_-]{1,100}\/workflows\/[^<>:;,?"*|/]+\/badge\.svg$/.test(href || '');
+	return /^https:\/\/github\.com\/[^/]+\/[^/]+\/workflows\/.*badge\.svg/.test(href || '');
+}
+
+function isHostTrusted(url: url.UrlWithStringQuery): boolean {
+	return TrustedSVGSources.indexOf(url.host.toLowerCase()) > -1 || isGitHubBadge(url.href);
 }
 
 class ManifestProcessor extends BaseProcessor {
@@ -472,7 +472,7 @@ export class MarkdownProcessor extends BaseProcessor {
 				throw new Error(`Images in ${this.name} must come from an HTTPS source: ${src}`);
 			}
 
-			if (/\.svg$/i.test(srcUrl.pathname) && (!isHostTrusted(srcUrl.host) && !isGitHubBadge(srcUrl.href))) {
+			if (/\.svg$/i.test(srcUrl.pathname) && (!isHostTrusted(srcUrl))) {
 				throw new Error(`SVGs are restricted in ${this.name}; please use other file image formats, such as PNG: ${src}`);
 			}
 		});
@@ -717,7 +717,7 @@ export function validateManifest(manifest: Manifest): Manifest {
 			throw new Error(`Badge URLs must come from an HTTPS source: ${badge.url}`);
 		}
 
-		if (/\.svg$/i.test(srcUrl.pathname) && (!isHostTrusted(srcUrl.host) && !isGitHubBadge(srcUrl.href))) {
+		if (/\.svg$/i.test(srcUrl.pathname) && (!isHostTrusted(srcUrl))) {
 			throw new Error(`Badge SVGs are restricted. Please use other file image formats, such as PNG: ${badge.url}`);
 		}
 	});
diff --git a/src/test/package.test.ts b/src/test/package.test.ts
@@ -1642,7 +1642,7 @@ describe('MarkdownProcessor', () => {
 		assert(file);
 	});
 
-	it('should allow SVG from GitHub actions in image tag', async() => {
+	it('should allow SVG from GitHub actions in image tag', async () => {
 		const manifest = { name: 'test', publisher: 'mocha', version: '0.0.1', engines: Object.create(null), repository: 'https://github.com/username/repository' };
 		const contents = `![title](https://github.com/fakeuser/fakerepo/workflows/fakeworkflowname/badge.svg)`;
 		const processor = new ReadmeProcessor(manifest, {});
@@ -1652,7 +1652,7 @@ describe('MarkdownProcessor', () => {
 		assert(file);
 	});
 
-	it('should prevent SVG from a GitHub repo in image tag', async() => {
+	it('should prevent SVG from a GitHub repo in image tag', async () => {
 		const manifest = { name: 'test', publisher: 'mocha', version: '0.0.1', engines: Object.create(null), repository: 'https://github.com/username/repository' };
 		const contents = `![title](https://github.com/eviluser/evilrepo/blob/master/malicious.svg)`;
 		const processor = new ReadmeProcessor(manifest, {});

Original file line number	Diff line number	Diff line change
`@@ -171,16 +171,16 @@ const TrustedSVGSources = [`
`171`	`171`	`'www.versioneye.com'`
`172`	`172`	`];`
`173`	`173`
`174`		`-function isHostTrusted(host: string): boolean {`
`175`		`- return TrustedSVGSources.indexOf(host.toLowerCase()) > -1;`
`176`		`-}`
`177`		`-`
`178`	`174`	`function isGitHubRepository(repository: string): boolean {`
`179`	`175`	`return /^https:\/\/github\.com\/\|^git@github\.com:/.test(repository \|\| '');`
`180`	`176`	`}`
`181`	`177`
`182`	`178`	`function isGitHubBadge(href: string): boolean {`
`183`		`- return isGitHubRepository(href) && /[A-Za-z0-9_-]{1,100}\/workflows\/[^<>:;,?"*\|/]+\/badge\.svg$/.test(href \|\| '');`
	`179`	`+ return /^https:\/\/github\.com\/[^/]+\/[^/]+\/workflows\/.*badge\.svg/.test(href \|\| '');`
	`180`	`+}`
	`181`	`+`
	`182`	`+function isHostTrusted(url: url.UrlWithStringQuery): boolean {`
	`183`	`+ return TrustedSVGSources.indexOf(url.host.toLowerCase()) > -1 \|\| isGitHubBadge(url.href);`
`184`	`184`	`}`
`185`	`185`
`186`	`186`	`class ManifestProcessor extends BaseProcessor {`
`@@ -472,7 +472,7 @@ export class MarkdownProcessor extends BaseProcessor {`
`472`	`472`	throw new Error(`Images in ${this.name} must come from an HTTPS source: ${src}`);
`473`	`473`	`}`
`474`	`474`
`475`		`- if (/\.svg$/i.test(srcUrl.pathname) && (!isHostTrusted(srcUrl.host) && !isGitHubBadge(srcUrl.href))) {`
	`475`	`+ if (/\.svg$/i.test(srcUrl.pathname) && (!isHostTrusted(srcUrl))) {`
`476`	`476`	throw new Error(`SVGs are restricted in ${this.name}; please use other file image formats, such as PNG: ${src}`);
`477`	`477`	`}`
`478`	`478`	`});`
`@@ -717,7 +717,7 @@ export function validateManifest(manifest: Manifest): Manifest {`
`717`	`717`	throw new Error(`Badge URLs must come from an HTTPS source: ${badge.url}`);
`718`	`718`	`}`
`719`	`719`
`720`		`- if (/\.svg$/i.test(srcUrl.pathname) && (!isHostTrusted(srcUrl.host) && !isGitHubBadge(srcUrl.href))) {`
	`720`	`+ if (/\.svg$/i.test(srcUrl.pathname) && (!isHostTrusted(srcUrl))) {`
`721`	`721`	throw new Error(`Badge SVGs are restricted. Please use other file image formats, such as PNG: ${badge.url}`);
`722`	`722`	`}`
`723`	`723`	`});`