Skip to content

Potential fix for code scanning alert no. 4: Incomplete URL substring sanitization #20

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

Potential fix for code scanning alert no. 4: Incomplete URL substring sanitization #20

wants to merge 1 commit into from

Conversation

@mixtapejaxson
Copy link
Owner

@mixtapejaxson mixtapejaxson commented Oct 22, 2025

Potential fix for https://github.com/mixtapejaxson/ChatTweak/security/code-scanning/4

To fix the problem, the URL must be parsed and the relevant components—typically origin, host, or path—checked explicitly.

  • For the Spotlight blocker, instead of checking if urlString.includes(SPOTLIGHT_URL), parse the URL and compare its origin and pathname to the intended Spotlight endpoint.
  • Only block the request if both the origin matches https://web.snapchat.com and the path starts with /context/spotlight (or equals, depending on desired strictness).
  • The best way is to use the standard URL Web API to parse urlString. This is available in all modern browsers and in Node, so it does not require any extra packages.
  • Apply the same approach for the fetch override in case the same check is done elsewhere.
  • Imports are not needed since URL is global, but wrap parsing in a try/catch to ensure malformed URLs don’t cause crashes.

Only lines within src/script/modules/telemetry-blocker/index.ts need changes, specifically the conditional on line 106. Show several lines of context on each side, and add new code only as required by the fix.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@mixtapejaxson @github-advanced-security
Potential fix for code scanning alert no. 4: Incomplete URL substring…
7fe9b87 
… sanitization

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@github-actions
Copy link

github-actions bot commented Oct 22, 2025

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@mixtapejaxson
Copy link
Owner Author

mixtapejaxson commented Oct 22, 2025

@appelmoesgg Can you review this for me?

Jaxson

@appelmoesgg
Copy link
Collaborator

appelmoesgg commented Oct 23, 2025

Hello,

Can you check what i sent on telegram?

Thx

@mixtapejaxson
Copy link
Owner Author

mixtapejaxson commented Oct 23, 2025

@appelmoesgg hey! Recently I have lost my my phone so I do not have access to telegram for the time being. Please email me for the time being at [email protected]

Thank you!

@appelmoesgg
Copy link
Collaborator

appelmoesgg commented Oct 23, 2025

ok i'll just copy paste it:

So the thing with the url parsing is like, is it really necesarry? Cuz copilot mentions CSRF and malicious hosts, but the script already only loads on web.snapchat.com and i dont think snapchat will send requests with that in an extra part...

Hope you find your phone soon :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@appelmoesgg appelmoesgg Awaiting requested review from appelmoesgg

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mixtapejaxson @appelmoesgg