library-mirrors/jquery-ui
1
0
Fork 0
mirror of https://github.com/jquery/jquery-ui.git synced 2024-11-21 11:04:24 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Build: Fix an XSS in the test server HTML serving logic

Browse Source 
The test server has a rule for `/tests/unit/*/*.html` paths that serves
a proper local file. However, the parameters after `/unit/` so far accepted
many characters that have special meaning, leading to possibly reading a file
from outside of the Git repository. Fix that by only accepting alphanumeric
characters, `-` or `_`.

This should resolve one CodeQL alert.

Closes gh-2309
This commit is contained in:
Michał Gołębiowski-Owczarek 2024-10-28 16:47:29 +01:00 committed by GitHub
parent af8adca548
commit 85bed8ddd8
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
tests/runner/createTestServer.js
View File

@ -22,7 +22,7 @@ export async function createTestServer( report ) {
} ); } );
// Add a script tag to HTML pages to load the QUnit listeners // Add a script tag to HTML pages to load the QUnit listeners
app.use( /\/tests\/unit\/([^/]+)\/\1\.html$/, async( req, res ) => { app.use( /\/tests\/unit\/([a-zA-Z0-9_-]+)\/\1\.html$/, async( req, res ) => {
const html = await readFile( const html = await readFile(
`tests/unit/${ req.params[ 0 ] }/${ req.params[ 0 ] }.html`, `tests/unit/${ req.params[ 0 ] }/${ req.params[ 0 ] }.html`,
"utf8" "utf8"