From 524e0d07211ed1cbef86884878c3bb3d4eb2ab51 Mon Sep 17 00:00:00 2001 From: Natasha <67543397+NovemberTang@users.noreply.github.com> Date: Fri, 14 Jun 2024 10:23:58 +0100 Subject: [PATCH] use url parsing instead of string matching (#1068) * use url parsing instead of string matching * make sure relevant section of url is at the end of the hostname * force an exact hostname check * use both correct hostnames * Do not attempt to sort the URL if it is invalid * Use strict equality, rename parameter, log invalid URL * remove comment as it's made redundant by log line --- package-lock.json | 3 ++- packages/repocop/src/evaluation/repository.ts | 23 ++++++++++++++----- 2 files changed, 19 insertions(+), 7 deletions(-) diff --git a/package-lock.json b/package-lock.json index 87e5e90d1..e02300017 100644 --- a/package-lock.json +++ b/package-lock.json @@ -21583,8 +21583,9 @@ }, "node_modules/url-parse": { "version": "1.5.10", + "resolved": "https://registry.npmjs.org/url-parse/-/url-parse-1.5.10.tgz", + "integrity": "sha512-WypcfiRhfeUP9vvF0j6rw0J3hrWrw6iZv3+22h6iRMJ/8z1Tj6XfLP4DsUix5MhMPnXpiHDoKyoZ/bdCkwBCiQ==", "dev": true, - "license": "MIT", "dependencies": { "querystringify": "^2.1.1", "requires-port": "^1.0.0" diff --git a/packages/repocop/src/evaluation/repository.ts b/packages/repocop/src/evaluation/repository.ts index b4e67c59f..9eda0adc8 100644 --- a/packages/repocop/src/evaluation/repository.ts +++ b/packages/repocop/src/evaluation/repository.ts @@ -1,3 +1,4 @@ +import { URL } from 'url'; import type { github_languages, github_repository_branches, @@ -400,13 +401,23 @@ export function evaluateOneRepo( } //create a predicate that orders a list of urls by whether they contain snyk.io first, and then github.com second -const urlSortPredicate = (url: string) => { - if (url.includes('snyk.io')) { - return -2; - } else if (url.includes('github.com') && url.includes('advisories')) { - return -1; +const urlSortPredicate = (maybeUrl: string) => { + try { + const url = new URL(maybeUrl); + + if (url.hostname === 'snyk.io' || url.hostname === 'security.snyk.io') { + return -2; + } else if ( + url.hostname === 'github.com' && + url.pathname.includes('advisories') + ) { + return -1; + } + return 0; + } catch { + console.debug(`Invalid url: ${maybeUrl}`); + return 0; } - return 0; }; export function dependabotAlertToRepocopVulnerability(