From 3ca3af48ee6e62df78a20ff4db442bf928b3590e Mon Sep 17 00:00:00 2001 From: Aditya Thebe Date: Fri, 3 Jul 2026 22:51:47 +0545 Subject: [PATCH] fix: resolve CodeQL security alerts CodeQL reported open alerts for workflow token permissions, unsafe GitHub URL detection, and a jq Prism regex with ReDoS risk. Restrict workflow GITHUB_TOKEN permissions to read-only, validate GitHub links by exact URL hostname, and simplify the jq string matcher to avoid exponential backtracking. --- .github/workflows/lint.yml | 3 +++ .github/workflows/style.yml | 3 +++ .../src/components/flanksource/Navigation.jsx | 17 +++++++++++++---- common/src/theme/prism-jq.js | 3 ++- 4 files changed, 21 insertions(+), 5 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 0fbb0d8a..de3a4017 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -2,6 +2,9 @@ name: Lint on: pull_request: +permissions: + contents: read + jobs: file-ref-check: name: file-ref-check diff --git a/.github/workflows/style.yml b/.github/workflows/style.yml index d89b19d2..e4f86a68 100644 --- a/.github/workflows/style.yml +++ b/.github/workflows/style.yml @@ -2,6 +2,9 @@ name: Vale on: pull_request: +permissions: + contents: read + jobs: vale: name: runner / vale diff --git a/common/src/components/flanksource/Navigation.jsx b/common/src/components/flanksource/Navigation.jsx index f1c58f47..4edce1ea 100644 --- a/common/src/components/flanksource/Navigation.jsx +++ b/common/src/components/flanksource/Navigation.jsx @@ -3,6 +3,15 @@ import React, { useState, useRef } from 'react'; import { FaChevronDown, FaChevronUp, FaBars, FaTimes, FaBullseye, FaSearch, FaDatabase, FaExclamationTriangle, FaRocket, FaTools, FaLifeRing, FaSync, FaLightbulb, FaEye, FaRobot } from 'react-icons/fa'; import { SiPostgresql } from 'react-icons/si'; +const isGitHubUrl = (href) => { + try { + const url = new URL(href); + return url.protocol === 'https:' && url.hostname === 'github.com'; + } catch { + return false; + } +}; + const Navigation = ({ logo = , loginButton = { href: "https://app.flanksource.com/", text: "Login" }, @@ -241,8 +250,8 @@ const Navigation = ({ key={index} href={product.href} className="flex items-start p-1 rounded-lg hover:bg-gray-50 transition-colors" - target={product.href.includes('github.com') ? '_blank' : '_self'} - rel={product.href.includes('github.com') ? 'noopener noreferrer' : ''} + target={isGitHubUrl(product.href) ? '_blank' : '_self'} + rel={isGitHubUrl(product.href) ? 'noopener noreferrer' : ''} >
{product.icon}
@@ -451,8 +460,8 @@ const Navigation = ({ key={index} href={product.href} className="flex items-start p-3 rounded-lg hover:bg-gray-50 transition-colors" - target={product.href.includes('github.com') ? '_blank' : '_self'} - rel={product.href.includes('github.com') ? 'noopener noreferrer' : ''} + target={isGitHubUrl(product.href) ? '_blank' : '_self'} + rel={isGitHubUrl(product.href) ? 'noopener noreferrer' : ''} >
{product.icon}
diff --git a/common/src/theme/prism-jq.js b/common/src/theme/prism-jq.js index 3cc030e7..e1753f70 100644 --- a/common/src/theme/prism-jq.js +++ b/common/src/theme/prism-jq.js @@ -1,7 +1,8 @@ (function (Prism) { var interpolation = /\\\((?:[^()]|\([^()]*\))*\)/.source; - var string = RegExp(/(^|[^\\])"(?:[^"\r\n\\]|\\[^\r\n(]|__)*"/.source.replace(/__/g, function () { return interpolation; })); + // Keep the string matcher linear-time; interpolation highlighting is handled below. + var string = /(^|[^\\])"(?:[^"\r\n\\]|\\[^\r\n])*"/; var stringInterpolation = { 'interpolation': { pattern: RegExp(/((?:^|[^\\])(?:\\{2})*)/.source + interpolation),