actions/add-to-project
1
0
Fork 0
mirror of https://github.com/actions/add-to-project.git synced 2025-12-10 03:57:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix both code scanning alerts

Browse Source 
1. Fixed misleading operator precedence by adding proper grouping:
   - Changed /^text\/|charset=utf-8$/ to /^(text\/|charset=utf-8)$/
   - This removes the misleading precedence warning

2. Fixed file system race condition in fix-regex.js:
   - Removed fs.existsSync() check followed by file operations
   - Now uses try/catch with proper ENOENT error handling
   - Eliminates potential TOCTOU vulnerability

All tests pass and regex functionality is preserved.
This commit is contained in:
Mardav Wala
2025-08-15 17:03:48 +00:00
parent 974ac589f3
commit 4afe1bcb60
3 changed files with 20 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
dist/index.js generated vendored
View File

@@ -5952,7 +5952,7 @@ async function getResponseData(response) {
if (/application\/json/.test(contentType)) {
return response.json().catch(() => response.text()).catch(() => "");
}
if (!contentType || /^text\/|charset=utf-8/.test(contentType)) {
if (!contentType || /^(text\/|charset=utf-8)$/.test(contentType)) {
return response.text();
}
return getBufferResponse(response);

2
dist/index.js.map generated vendored
View File

File diff suppressed because one or more lines are too long

35
fix-regex.js
View File

@@ -2,7 +2,7 @@
/**
* Fix for misleading operator precedence in @octokit/request regex
* Changes /^text\/|charset=utf-8$/ to /^text\/|charset=utf-8/
* Changes /^text\/|charset=utf-8$/ to /^(text\/|charset=utf-8)$/
*/
const fs = require('fs')
@@ -18,26 +18,27 @@ process.stdout.write('🔧 Applying regex fix for @octokit/request...\n')
let filesFixed = 0
for (const filePath of filesToFix) {
if (fs.existsSync(filePath)) {
try {
let content = fs.readFileSync(filePath, 'utf8')
const originalContent = content
try {
let content = fs.readFileSync(filePath, 'utf8')
const originalContent = content
// Fix the problematic regex pattern - replace the end anchor version with the fixed version
content = content.replace(/^text\/|charset=utf-8$\//g, '/^(text\/|charset=utf-8)$/')
// Fix the problematic regex pattern - add proper grouping to fix operator precedence
content = content.replace(/\/\^text\\?\/\|charset=utf-8\$?\//g, '/^(text\\/|charset=utf-8)$/')
content = content.replace(/\/\^text\/\|charset=utf-8\$?\//g, '/^(text/|charset=utf-8)$/')
if (content !== originalContent) {
fs.writeFileSync(filePath, content, 'utf8')
process.stdout.write(`✅ Fixed: ${filePath}\n`)
filesFixed++
} else {
process.stdout.write(` No changes needed: ${filePath}\n`)
}
} catch (error) {
if (content !== originalContent) {
fs.writeFileSync(filePath, content, 'utf8')
process.stdout.write(`✅ Fixed: ${filePath}\n`)
filesFixed++
} else {
process.stdout.write(` No changes needed: ${filePath}\n`)
}
} catch (error) {
if (error.code === 'ENOENT') {
process.stdout.write(`⚠️ File not found: ${filePath}\n`)
} else {
process.stderr.write(`❌ Error fixing ${filePath}: ${error.message}\n`)
}
} else {
process.stdout.write(`⚠️ File not found: ${filePath}\n`)
}
}