From f70fabb8631727b45812cc2bb0f8ff2828313333 Mon Sep 17 00:00:00 2001 From: Henning Dieterichs Date: Thu, 6 Jul 2023 23:20:35 +0200 Subject: [PATCH] Adresses https://github.com/microsoft/vscode-internalbacklog/issues/4449 --- build/importTypescript.ts | 5 +++++ src/language/typescript/lib/typescriptServices.js | 2 +- test/manual/dev-setup.js | 4 ++-- website/src/monaco-loader.ts | 2 +- website/src/runner/index.ts | 4 ++-- website/static/monarch/monarch.js | 2 +- 6 files changed, 12 insertions(+), 7 deletions(-) diff --git a/build/importTypescript.ts b/build/importTypescript.ts index c2e67267..14035727 100644 --- a/build/importTypescript.ts +++ b/build/importTypescript.ts @@ -37,6 +37,11 @@ export const typescriptVersion = "${typeScriptDependencyVersion}";\n` let tsServices = fs.readFileSync(path.join(TYPESCRIPT_LIB_SOURCE, 'typescript.js')).toString(); + tsServices = tsServices.replace( + 'const path = matchedStar ? subst.replace("*", matchedStar) : subst;', + 'const path = matchedStar ? subst.replace("*", matchedStar) : subst; // CodeQL [SM02383] This is a false positive, the code is from the TypeScript compiler' + ); + // The output from this build will only be accessible via ESM; rather than removing // references to require/module, define them as dummy variables that bundlers will ignore. // The TS code can figure out that it's not running under Node even with these defined. diff --git a/src/language/typescript/lib/typescriptServices.js b/src/language/typescript/lib/typescriptServices.js index c878528b..e8d06368 100644 --- a/src/language/typescript/lib/typescriptServices.js +++ b/src/language/typescript/lib/typescriptServices.js @@ -40937,7 +40937,7 @@ ${lanes.join("\n")} trace(state.host, Diagnostics.Module_name_0_matched_pattern_1, moduleName, matchedPatternText); } const resolved = forEach(paths[matchedPatternText], (subst) => { - const path = matchedStar ? subst.replace("*", matchedStar) : subst; + const path = matchedStar ? subst.replace("*", matchedStar) : subst; // CodeQL [SM02383] This is a false positive, the code is from the TypeScript compiler const candidate = normalizePath(combinePaths(baseDirectory, path)); if (state.traceEnabled) { trace(state.host, Diagnostics.Trying_substitution_0_candidate_module_location_Colon_1, subst, path); diff --git a/test/manual/dev-setup.js b/test/manual/dev-setup.js index 9cfe13db..a2c8cc46 100644 --- a/test/manual/dev-setup.js +++ b/test/manual/dev-setup.js @@ -39,7 +39,7 @@ ''; + ''; // CodeQL [SM03712] This code is not deployed and serves as local test code. No risk of malicious input. document.body.appendChild(div); @@ -47,7 +47,7 @@ for (let i = 0; i < aElements.length; i++) { let aElement = aElements[i]; if (aElement.className === 'loading-opts') { - aElement.href += window.location.search; + aElement.href += window.location.search; // CodeQL [SM01507] This code is not deployed and serves as local test code. No risk of malicious input. } } })(); diff --git a/website/src/monaco-loader.ts b/website/src/monaco-loader.ts index 2c771a0c..898b08d7 100644 --- a/website/src/monaco-loader.ts +++ b/website/src/monaco-loader.ts @@ -84,7 +84,7 @@ function loadScript(path: string): Promise { script.onload = () => res(); script.async = true; script.type = "text/javascript"; - script.src = path; + script.src = path; // CodeQL [SM01507] This is safe because the runner (that allows for dynamic paths) runs in an isolated iframe. The hosting website uses a static path configuration. // CodeQL [SM03712] This is safe because the runner (that allows for dynamic paths) runs in an isolated iframe. The hosting website uses a static path configuration. document.head.appendChild(script); }); } diff --git a/website/src/runner/index.ts b/website/src/runner/index.ts index fe8af646..97776901 100644 --- a/website/src/runner/index.ts +++ b/website/src/runner/index.ts @@ -21,7 +21,7 @@ window.addEventListener("message", (event) => { const style = document.getElementById( "custom-style" ) as HTMLStyleElement; - style.innerHTML = e.css; + style.innerHTML = e.css; // CodeQL [SM03712] This is safe because the runner runs in an isolated iframe. } }); @@ -54,7 +54,7 @@ async function initialize(state: IPreviewState) { const js = massageJs(state.js); try { - eval(js); + eval(js); // CodeQL [SM01632] This is safe because the runner runs in an isolated iframe. This feature is essential to the functionality of the playground. // CodeQL [SM02688] This is safe because the runner runs in an isolated iframe. This feature is essential to the functionality of the playground. } catch (err) { const pre = document.createElement("pre"); pre.appendChild( diff --git a/website/static/monarch/monarch.js b/website/static/monarch/monarch.js index 4cd72c3f..899b2531 100644 --- a/website/static/monarch/monarch.js +++ b/website/static/monarch/monarch.js @@ -58,7 +58,7 @@ function createLangModel(languageId, text) { var update = function () { var def = null; try { - def = eval("(function(){ " + langModel.getValue() + "; })()"); + def = eval("(function(){ " + langModel.getValue() + "; })()"); // CodeQL [SM01632] langModel.getValue() is a default value with volatile user modifications. This is an essential functionality for the monarch playground and safe, as no injection is possible. } catch (err) { setInnerText(outputPane, err + "\n"); return;