From c9247f5f864222263ee8864c5f18062e156fe067 Mon Sep 17 00:00:00 2001 From: Yadhav Jayaraman <57544838+decyjphr@users.noreply.github.com> Date: Fri, 30 Aug 2024 17:48:04 -0400 Subject: [PATCH] fix code scanning alerts (#669) * fix alerts * fix alerts * fix alerts * fix alerts * add tests and simplify Glob * fix import to lowercase file * removed debugging code --- lib/glob.js | 20 +++++++++- package-lock.json | 4 +- package.json | 5 ++- test/unit/lib/glob.test.ts | 78 ++++++++++++++++++++++++++++++++++++++ 4 files changed, 101 insertions(+), 6 deletions(-) create mode 100644 test/unit/lib/glob.test.ts diff --git a/lib/glob.js b/lib/glob.js index beeb1ada..78a0eaaf 100644 --- a/lib/glob.js +++ b/lib/glob.js @@ -1,8 +1,24 @@ class Glob { constructor (glob) { this.glob = glob - const regexptex = glob.replace(/\//g, '\\/').replace(/\?/g, '([^\\/])').replace(/\./g, '\\.').replace(/\*/g, '([^\\/]*)') - this.regexp = new RegExp(`^${regexptex}$`, 'u') + + // If not a glob pattern then just match the string. + if (!this.glob.includes('*')) { + this.regexp = new RegExp(`.*${this.glob}.*`, 'u') + return + } + this.regexptText = this.globize(this.glob) + this.regexp = new RegExp(`^${this.regexptText}$`, 'u') + } + + globize (glob) { + return glob + .replace(/\\/g, '\\\\') // escape backslashes + .replace(/\//g, '\\/') // escape forward slashes + .replace(/\./g, '\\.') // escape periods + .replace(/\?/g, '([^\\/])') // match any single character except / + .replace(/\*\*/g, '.+') // match any character except /, including / + .replace(/\*/g, '([^\\/]*)') // match any character except / } toString () { diff --git a/package-lock.json b/package-lock.json index dc617ec2..9baba6f5 100644 --- a/package-lock.json +++ b/package-lock.json @@ -13,6 +13,7 @@ "deepmerge": "^4.3.1", "eta": "^3.0.3", "js-yaml": "^4.1.0", + "lodash": "^4.17.21", "node-cron": "^3.0.2", "octokit": "^3.1.2", "probot": "^12.3.3" @@ -8136,8 +8137,7 @@ "node_modules/lodash": { "version": "4.17.21", "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz", - "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==", - "dev": true + "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==" }, "node_modules/lodash.defaults": { "version": "4.2.0", diff --git a/package.json b/package.json index 7353a635..dbad5350 100644 --- a/package.json +++ b/package.json @@ -27,15 +27,16 @@ "deepmerge": "^4.3.1", "eta": "^3.0.3", "js-yaml": "^4.1.0", + "lodash": "^4.17.21", "node-cron": "^3.0.2", "octokit": "^3.1.2", "probot": "^12.3.3" }, "devDependencies": { + "@eslint/eslintrc": "^2.0.2", "@travi/any": "^2.1.8", "check-engine": "^1.10.1", "eslint": "^8.46.0", - "@eslint/eslintrc": "^2.0.2", "eslint-config-standard": "^17.1.0", "eslint-plugin-import": "^2.29.1", "eslint-plugin-node": "^11.1.0", @@ -83,4 +84,4 @@ "." ] } -} \ No newline at end of file +} diff --git a/test/unit/lib/glob.test.ts b/test/unit/lib/glob.test.ts new file mode 100644 index 00000000..27b6d29b --- /dev/null +++ b/test/unit/lib/glob.test.ts @@ -0,0 +1,78 @@ +const Glob = require('../../../lib/glob') + +describe('glob test', function () { + + test('Test Glob **', () => { + let pattern = new Glob('**/xss') + let str = 'test/web/xss' + expect(str.search(pattern)>=0).toBeTruthy() + str = 'test/web/xsssss' + expect(str.search(pattern)>=0).toBeFalsy() + + pattern = new Glob('**/*.txt') + str = 'sub/3.txt' + expect(str.search(pattern)>=0).toBeTruthy() + str = '/sub1/sub2/sub3/3.txt' + expect(str.search(pattern)>=0).toBeTruthy() + + pattern = new Glob('**/csrf-protection-disabled') + str = 'java/csrf-protection-disabled' + expect(str.search(pattern)>=0).toBeTruthy() + str = '/java/test/csrf-protection-disabled' + expect(str.search(pattern)>=0).toBeTruthy() + }) + + test('Test Glob *', () => { + let str = 'web/xss' + let pattern = new Glob('*/xss') + expect(str.search(pattern)>=0).toBeTruthy() + + pattern = new Glob('./[0-9].*') + str = './1.gif' + expect(str.search(pattern)>=0).toBeTruthy() + str = './2.gif' + expect(str.search(pattern)>=0).toBeTruthy() + str = './2.' + expect(str.search(pattern)>=0).toBeTruthy() + + pattern = new Glob('*/csrf-protection-disabled') + str = 'java/csrf-protection-disabled' + expect(str.search(pattern)>=0).toBeTruthy() + str = 'rb/csrf-protection-disabled' + expect(str.search(pattern)>=0).toBeTruthy() + + pattern = new Glob('*/hardcoded-credential*') + str = 'java/csrf-protection-disabled' + expect(str.search(pattern)>=0).toBeFalsy() + str = 'rb/csrf-protection-disabled' + expect(str.search(pattern)>=0).toBeFalsy() + str = 'cs/hardcoded-credentials' + expect(str.search(pattern)>=0).toBeTruthy() + str = 'java/hardcoded-credential-api-call' + expect(str.search(pattern)>=0).toBeTruthy() + + }) + + test('Test Glob no *', () => { + let pattern = new Glob('csrf-protection-disabled') + let str = 'java/hardcoded-credential-api-call' + expect(str.search(pattern)>=0).toBeFalsy() + str = 'cs/test/hardcoded-credentials' + expect(str.search(pattern)>=0).toBeFalsy() + str = 'rb/csrf-protection-disabled' + expect(str.search(pattern)>=0).toBeTruthy() + str = 'java/csrf-protection-disabled' + expect(str.search(pattern)>=0).toBeTruthy() + + pattern = new Glob('csrf') + str = 'java/hardcoded-credential-api-call' + expect(str.search(pattern)>=0).toBeFalsy() + str = 'cs/test/hardcoded-credentials' + expect(str.search(pattern)>=0).toBeFalsy() + str = 'rb/csrf-protection-disabled' + expect(str.search(pattern)>=0).toBeTruthy() + str = 'java/csrf-protection-disabled' + expect(str.search(pattern)>=0).toBeTruthy() + }) + +})