Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

lastIndexOf in sourcemap-register.js causes Github to flag Incorrect suffix check #320

Open
yogurtearl opened this issue Sep 21, 2022 · 4 comments

Comments

@yogurtearl
Copy link

yogurtearl commented Sep 21, 2022

I think this sourcemap-register.js file is an output of this module:
https://raw.githubusercontent.com/gradle/gradle-build-action/aeb3e0fcd750be80d74f07ee94363abdf2b51020/dist/post/sourcemap-register.js

which contains this:

var n=0;while(r.indexOf(e+"/")!==0){var t=e.lastIndexOf("/");
if(t<0){return r}e=e.slice(0,t);if(e.match(/^([^\/]+:\/)?\/*$/)){return r}++n}return Array(n+1).join("../")+r.substr(e.length+1)}r.relative=relative;var o=function(){var e=Object.create(null);return!("__proto__"in e)}();function identity(e){return e}function toSetString(e){if(isProtoString(e)){return"$"+e}return e}r.toSetString=o?identity:toSetString;function fromSetString(e){if(isProtoString(e)){return e.slice(1)}return e}r.fromSetString=o?identity:fromSetString;function isProtoString(e){if(!e){return false}var r=e.length;if(r<9){return false}if(e.charCodeAt(r-1)!==95||e.charCodeAt(r-2)!==95||e.charCodeAt(r-3)!==111||e.charCodeAt(r-4)!==116||e.charCodeAt(r-5)!==111||e.charCodeAt(r-6)!==114||e.charCodeAt(r-7)!==112||e.charCodeAt(r-8)!==95||e.charCodeAt(r-9)!==95){return false}for(var n=r-10;n>=0;n--){if(e.charCodeAt(n)!==36){return false}}return true}function compareByOriginalPositions(e,r,n){var t=strcmp(e.source,r.source);if(t!==0){return t}t=e.originalLine-r.originalLine;if(t!==0){return t}t=e.originalColumn-r.originalColumn;if(t!==0||n){return t}t=e.generatedColumn-r.generatedColumn;if(t!==0){return t}t=e.generatedLine-r.generatedLine;if(t!==0){return t}return strcmp(e.name,r.name)}r.compareByOriginalPositions=compareByOriginalPositions;function compareByGeneratedPositionsDeflated(e,r,n){var t=e.generatedLine-r.generatedLine;if(t!==0){return t}t=e.generatedColumn-r.generatedColumn;if(t!==0||n){return t}t=strcmp(e.source,r.source);if(t!==0){return t}t=e.originalLine-r.originalLine;if(t!==0){return t}t=e.originalColumn-r.originalColumn;if(t!==0){return t}return strcmp(e.name,r.name)}r.compareByGeneratedPositionsDeflated=compareByGeneratedPositionsDeflated;function strcmp(e,r){if(e===r){return 0}if(e===null){return 1}if(r===null){return-1}if(e>r){return 1}return-1}function compareByGeneratedPositionsInflated(e,r){var n=e.generatedLine-r.generatedLine;if(n!==0){return n}n=e.generatedColumn-r.generatedColumn;if(n!==0){return n}n=strcmp(e.source,r.source);if(n!==0){return n}n=e.originalLine-r.originalLine;if(n!==0){return n}n=e.originalColumn-r.originalColumn;if(n!==0){return n}return strcmp(e.name,r.name)}r.compareByGeneratedPositionsInflated=compareByGeneratedPositionsInflated;function parseSourceMapInput(e){return JSON.parse(e.replace(/^\)]}'[^\n]*\n/,""))}r.parseSourceMapInput=parseSourceMapInput;function computeSourceURL(e,r,n){r=r||"";if(e){if(e[e.length-1]!=="/"&&r[0]!=="/"){e+="/"}r=e+r}if(n){var t=urlParse(n);
if(!t){throw new Error("sourceMapURL could not be parsed")}if(t.path){var o=t.path.lastIndexOf("/");

Which causes Github advanced security to issue this "high" severity error:

https://codeql.github.com/codeql-query-help/javascript/js-incorrect-suffix-check/

Would be great if you can confirm if this is related to node-source-map-support

If it is related, can you add the suggested fix here: https://codeql.github.com/codeql-query-help/javascript/js-incorrect-suffix-check/
to avoid the error from GH advanced security. :)

@LinusU
Copy link
Collaborator

LinusU commented Oct 11, 2022

Searching for lastIndexOf doesn't yield any matches in this repo:

https://github.com/evanw/node-source-map-support/search?q=lastIndexOf

Are you sure that the code is from this package, and could you point me to the code in question in that case? ☺️

@yogurtearl
Copy link
Author

as far as I can tell... it was in a sourcemap-register.js file which I think was generated by node-source-map-support ?

I am not clear on where sourcemap-register.js is coming from or where the lastIndexOf in the file is coming from.

See
gradle/gradle-build-action@74a56b6#diff-7ae45ad102eab3b6d7e7896acd08c427a9b25b346470d7bc6507b6481575d519R11

sourcemap-register.js was being generated by running this command:

ncc build src/main.ts --out dist/main --source-map && ncc build src/post.ts --out dist/post --source-map

adding --no-source-map-register got rid of the sourcemap-register.js file altogether.

@calebboyd
Copy link

The heuristic looks like it might apply to indexOf as well (though the example only mentions lastIndexOf).

It looks like it may be this block its complaining about:

if (functionName) {
if (typeName && functionName.indexOf(typeName) != 0) {
line += typeName + ".";
}
line += functionName;
if (methodName && functionName.indexOf("." + methodName) != functionName.length - methodName.length - 1) {
line += " [as " + methodName + "]";
}

Copied from v8 almost 9 years ago 😅

@TheSench
Copy link

I'm seeing the same issue specifically pointed at indexOf:

This suffix check is missing a length comparison to correctly handle indexOf returning -1.

The indexOf and lastIndexOf methods are sometimes used to check if a substring occurs at a certain position in a string. However, if the returned index is compared to an expression that might evaluate to -1, the check may pass in some cases where the substring was not found at all.

The flagged code is the minified version of what @calebboyd referenced above:

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants