add feature #389

ItsMajestiX · ItsMajestiX · commit e80056d64e30 · 2019-10-17T18:27:55.000-05:00
diff --git a/src/package.ts b/src/package.ts
@@ -183,6 +183,10 @@ function isGitHubRepository(repository: string): boolean {
 	return /^https:\/\/github\.com\/|^git@github\.com:/.test(repository || '');
 }
 
+function isGitHubBadge(href: string): boolean {
+	return isGitHubRepository(href) && /[A-Za-z0-9_-]{1,100}\/workflows\/[^<>:;,?"*|/]+\/badge\.svg$/.test(href || '');
+}
+
 class ManifestProcessor extends BaseProcessor {
 
 	constructor(manifest: Manifest) {
@@ -449,7 +453,7 @@ export class MarkdownProcessor extends BaseProcessor {
 				throw new Error(`Images in ${this.name} must come from an HTTPS source: ${src}`);
 			}
 
-			if (/\.svg$/i.test(srcUrl.pathname) && !isHostTrusted(srcUrl.host)) {
+			if (/\.svg$/i.test(srcUrl.pathname) && (!isHostTrusted(srcUrl.host) && !isGitHubBadge(srcUrl.href))) {
 				throw new Error(`SVGs are restricted in ${this.name}; please use other file image formats, such as PNG: ${src}`);
 			}
 		});
@@ -694,7 +698,7 @@ export function validateManifest(manifest: Manifest): Manifest {
 			throw new Error(`Badge URLs must come from an HTTPS source: ${badge.url}`);
 		}
 
-		if (/\.svg$/i.test(srcUrl.pathname) && !isHostTrusted(srcUrl.host)) {
+		if (/\.svg$/i.test(srcUrl.pathname) && (!isHostTrusted(srcUrl.host) && !isGitHubBadge(srcUrl.href))) {
 			throw new Error(`Badge SVGs are restricted. Please use other file image formats, such as PNG: ${badge.url}`);
 		}
 	});
diff --git a/src/test/package.test.ts b/src/test/package.test.ts
@@ -1615,6 +1615,16 @@ describe('MarkdownProcessor', () => {
 		assert(file);
 	});
 
+	it('should allow SVG from GitHub actions in image tag', async() => {
+		const manifest = { name: 'test', publisher: 'mocha', version: '0.0.1', engines: Object.create(null), repository: 'https://github.com/username/repository' };
+		const contents = `![title](https://github.com/fakeuser/fakerepo/workflows/fakeworkflowname/badge.svg)`;
+		const processor = new ReadmeProcessor(manifest, {});
+		const readme = { path: 'extension/readme.md', contents };
+
+		const file = await processor.onFile(readme);
+		assert(file);
+	});
+
 	it('should prevent SVGs from not trusted sources in img tags', async () => {
 		const manifest = { name: 'test', publisher: 'mocha', version: '0.0.1', engines: Object.create(null), repository: 'https://github.com/username/repository' };
 		const contents = `<img src="https://foo/hello.svg" />`;

Original file line number	Diff line number	Diff line change
`@@ -183,6 +183,10 @@ function isGitHubRepository(repository: string): boolean {`
`183`	`183`	`return /^https:\/\/github\.com\/\|^git@github\.com:/.test(repository \|\| '');`
`184`	`184`	`}`
`185`	`185`
	`186`	`+function isGitHubBadge(href: string): boolean {`
	`187`	`+ return isGitHubRepository(href) && /[A-Za-z0-9_-]{1,100}\/workflows\/[^<>:;,?"*\|/]+\/badge\.svg$/.test(href \|\| '');`
	`188`	`+}`
	`189`	`+`
`186`	`190`	`class ManifestProcessor extends BaseProcessor {`
`187`	`191`
`188`	`192`	`constructor(manifest: Manifest) {`
`@@ -449,7 +453,7 @@ export class MarkdownProcessor extends BaseProcessor {`
`449`	`453`	throw new Error(`Images in ${this.name} must come from an HTTPS source: ${src}`);
`450`	`454`	`}`
`451`	`455`
`452`		`- if (/\.svg$/i.test(srcUrl.pathname) && !isHostTrusted(srcUrl.host)) {`
	`456`	`+ if (/\.svg$/i.test(srcUrl.pathname) && (!isHostTrusted(srcUrl.host) && !isGitHubBadge(srcUrl.href))) {`
`453`	`457`	throw new Error(`SVGs are restricted in ${this.name}; please use other file image formats, such as PNG: ${src}`);
`454`	`458`	`}`
`455`	`459`	`});`
`@@ -694,7 +698,7 @@ export function validateManifest(manifest: Manifest): Manifest {`
`694`	`698`	throw new Error(`Badge URLs must come from an HTTPS source: ${badge.url}`);
`695`	`699`	`}`
`696`	`700`
`697`		`- if (/\.svg$/i.test(srcUrl.pathname) && !isHostTrusted(srcUrl.host)) {`
	`701`	`+ if (/\.svg$/i.test(srcUrl.pathname) && (!isHostTrusted(srcUrl.host) && !isGitHubBadge(srcUrl.href))) {`
`698`	`702`	throw new Error(`Badge SVGs are restricted. Please use other file image formats, such as PNG: ${badge.url}`);
`699`	`703`	`}`
`700`	`704`	`});`