fix code scanning alerts (github#669)

* fix alerts * fix alerts * fix alerts * fix alerts * add tests and simplify Glob * fix import to lowercase file * removed debugging code
helse-sorost · Aug 30, 2024 · c9247f5 · c9247f5
1 parent fc5b693
commit c9247f5
Show file tree

Hide file tree

Showing 4 changed files with 101 additions and 6 deletions.
diff --git a/lib/glob.js b/lib/glob.js
@@ -1,8 +1,24 @@
 class Glob {
   constructor (glob) {
     this.glob = glob
-    const regexptex = glob.replace(/\//g, '\\/').replace(/\?/g, '([^\\/])').replace(/\./g, '\\.').replace(/\*/g, '([^\\/]*)')
-    this.regexp = new RegExp(`^${regexptex}$`, 'u')
+
+    // If not a glob pattern then just match the string.
+    if (!this.glob.includes('*')) {
+      this.regexp = new RegExp(`.*${this.glob}.*`, 'u')
+      return
+    }
+    this.regexptText = this.globize(this.glob)
+    this.regexp = new RegExp(`^${this.regexptText}$`, 'u')
+  }
+
+  globize (glob) {
+    return glob
+      .replace(/\\/g, '\\\\') // escape backslashes
+      .replace(/\//g, '\\/') // escape forward slashes
+      .replace(/\./g, '\\.') // escape periods
+      .replace(/\?/g, '([^\\/])') // match any single character except /
+      .replace(/\*\*/g, '.+') // match any character except /, including /
+      .replace(/\*/g, '([^\\/]*)') // match any character except /
   }
 
   toString () {

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -27,15 +27,16 @@
     "deepmerge": "^4.3.1",
     "eta": "^3.0.3",
     "js-yaml": "^4.1.0",
+    "lodash": "^4.17.21",
     "node-cron": "^3.0.2",
     "octokit": "^3.1.2",
     "probot": "^12.3.3"
   },
   "devDependencies": {
+    "@eslint/eslintrc": "^2.0.2",
     "@travi/any": "^2.1.8",
     "check-engine": "^1.10.1",
     "eslint": "^8.46.0",
-    "@eslint/eslintrc": "^2.0.2",
     "eslint-config-standard": "^17.1.0",
     "eslint-plugin-import": "^2.29.1",
     "eslint-plugin-node": "^11.1.0",
@@ -83,4 +84,4 @@
       "."
     ]
   }
-}
+}
diff --git a/test/unit/lib/glob.test.ts b/test/unit/lib/glob.test.ts
@@ -0,0 +1,78 @@
+const Glob = require('../../../lib/glob')
+
+describe('glob test', function () {
+
+  test('Test Glob **', () => {
+    let pattern = new Glob('**/xss')
+    let str = 'test/web/xss'
+    expect(str.search(pattern)>=0).toBeTruthy()
+    str = 'test/web/xsssss'
+    expect(str.search(pattern)>=0).toBeFalsy()
+
+    pattern = new Glob('**/*.txt')
+    str = 'sub/3.txt'
+    expect(str.search(pattern)>=0).toBeTruthy()
+    str = '/sub1/sub2/sub3/3.txt'
+    expect(str.search(pattern)>=0).toBeTruthy()
+
+    pattern = new Glob('**/csrf-protection-disabled')
+    str = 'java/csrf-protection-disabled'
+    expect(str.search(pattern)>=0).toBeTruthy()
+    str = '/java/test/csrf-protection-disabled'
+    expect(str.search(pattern)>=0).toBeTruthy()
+  })
+
+  test('Test Glob *', () => {
+    let str = 'web/xss'
+    let pattern = new Glob('*/xss')
+    expect(str.search(pattern)>=0).toBeTruthy()
+
+    pattern = new Glob('./[0-9].*')
+    str = './1.gif'
+    expect(str.search(pattern)>=0).toBeTruthy()
+    str = './2.gif'
+    expect(str.search(pattern)>=0).toBeTruthy()
+    str = './2.'
+    expect(str.search(pattern)>=0).toBeTruthy()
+
+    pattern = new Glob('*/csrf-protection-disabled')
+    str = 'java/csrf-protection-disabled'
+    expect(str.search(pattern)>=0).toBeTruthy()
+    str = 'rb/csrf-protection-disabled'
+    expect(str.search(pattern)>=0).toBeTruthy()
+
+    pattern = new Glob('*/hardcoded-credential*')
+    str = 'java/csrf-protection-disabled'
+    expect(str.search(pattern)>=0).toBeFalsy()
+    str = 'rb/csrf-protection-disabled'
+    expect(str.search(pattern)>=0).toBeFalsy()
+    str = 'cs/hardcoded-credentials'
+    expect(str.search(pattern)>=0).toBeTruthy()
+    str = 'java/hardcoded-credential-api-call'
+    expect(str.search(pattern)>=0).toBeTruthy()
+
+  })
+
+  test('Test Glob no *', () => {
+    let pattern = new Glob('csrf-protection-disabled')
+    let str = 'java/hardcoded-credential-api-call'
+    expect(str.search(pattern)>=0).toBeFalsy()
+    str = 'cs/test/hardcoded-credentials'
+    expect(str.search(pattern)>=0).toBeFalsy()
+    str = 'rb/csrf-protection-disabled'
+    expect(str.search(pattern)>=0).toBeTruthy()
+    str = 'java/csrf-protection-disabled'
+    expect(str.search(pattern)>=0).toBeTruthy()
+
+    pattern = new Glob('csrf')
+    str = 'java/hardcoded-credential-api-call'
+    expect(str.search(pattern)>=0).toBeFalsy()
+    str = 'cs/test/hardcoded-credentials'
+    expect(str.search(pattern)>=0).toBeFalsy()
+    str = 'rb/csrf-protection-disabled'
+    expect(str.search(pattern)>=0).toBeTruthy()
+    str = 'java/csrf-protection-disabled'
+    expect(str.search(pattern)>=0).toBeTruthy()
+  })
+
+})