Skip to content

feat: add ui extension point #801

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Aug 8, 2025
Merged

feat: add ui extension point #801

merged 11 commits into from
Aug 8, 2025

Conversation

@LinuxSuRen
Copy link
Owner

@LinuxSuRen LinuxSuRen commented Aug 6, 2025
edited
Loading

We highly recommend you read the contributor's documentation before starting the review process especially since this is your first contribution to this project.

It was updated on 2024/5/27

What type of PR is this?

What this PR does / why we need it:

See #204

Which issue(s) this PR fixes:

Fixes #

@LinuxSuRen LinuxSuRen requested a review from yuluo-yx as a code owner August 6, 2025 15:01
@LinuxSuRen LinuxSuRen added enhancement New feature or request ui labels Aug 6, 2025
@codacy-production
Copy link

codacy-production bot commented Aug 6, 2025
edited
Loading

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation Diff coverage
-0.95% (target: -1.00%) 23.89% (target: 80.00%)
Coverage variation details
Coverable lines Covered lines Coverage
Common ancestor commit (0b03f7e) 20884 8121 38.89%
Head commit (470a580) 21944 (+1060) 8325 (+204) 37.94% (-0.95%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details
Coverable lines Covered lines Diff coverage
Pull request (#801) 1394 333 23.89%

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings    Change summary preferences

@github-actions
Copy link

github-actions bot commented Aug 6, 2025
edited
Loading

There are 1 test cases, failed count 0:

Name Average Max Min Count Error
12.116586ms 12.801702ms 11.05664ms 3 0

Reported by api-testing.

@LinuxSuRen
Copy link
Owner Author

LinuxSuRen commented Aug 6, 2025

hi @yuluo-yx this PR is still working on. And I need to do more tests.

github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 7, 2025
View reviewed changes
pkg/mock/in_memory.go
if err == nil {
h.item.Response.Header[util.ContentLength] = fmt.Sprintf("%d", len(h.item.Response.BodyData))
w.Header().Set(util.ContentLength, h.item.Response.Header[util.ContentLength])
}

Check warning

Code scanning / CodeQL

Reflected cross-site scripting Medium

Cross-site scripting vulnerability due to
user-provided value
Loading
.
Cross-site scripting vulnerability due to
user-provided value
Loading
.

Copilot Autofix

AI 3 months ago

To fix the reflected XSS vulnerability, all user-controlled data that may be rendered into an HTTP response must be properly escaped for the context in which it appears. The best way to do this is to ensure that any user input (such as route parameters from mux.Vars(req)) is HTML-escaped before being included in the response body, if the response is of a type that could be interpreted as HTML by browsers.

The most robust fix is to HTML-escape all route parameters when they are added to h.item.Param, so that any template rendering or direct output will use the escaped values. This can be done by wrapping the values with html.EscapeString from the Go standard library. You will need to import the html package.

Files/regions/lines to change:

  • In pkg/mock/in_memory.go, in the loop at lines 436-438, wrap each value from mux.Vars(req) with html.EscapeString before assigning to h.item.Param.
  • Add an import for "html" if not already present.
Suggested changeset 1
pkg/mock/in_memory.go

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/pkg/mock/in_memory.go b/pkg/mock/in_memory.go
--- a/pkg/mock/in_memory.go
+++ b/pkg/mock/in_memory.go
@@ -23,2 +23,3 @@
 	"fmt"
+	"html"
 	"io"
@@ -436,3 +437,3 @@
 	for k, v := range mux.Vars(req) {
-		h.item.Param[k] = v
+		h.item.Param[k] = html.EscapeString(v)
 	}
EOF
@@ -23,2 +23,3 @@
"fmt"
"html"
"io"
@@ -436,3 +437,3 @@
for k, v := range mux.Vars(req) {
h.item.Param[k] = v
h.item.Param[k] = html.EscapeString(v)
}
Copilot is powered by AI and may make mistakes. Always verify output.
@sonarqubecloud
Copy link

sonarqubecloud bot commented Aug 8, 2025

Quality Gate Passed Quality Gate passed

Issues
4 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@LinuxSuRen LinuxSuRen merged commit 4ac2eaa into master Aug 8, 2025
18 of 20 checks passed
@LinuxSuRen LinuxSuRen deleted the feat/ui-ext-new branch August 8, 2025 13:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yuluo-yx yuluo-yx yuluo-yx approved these changes

Assignees

No one assigned

Labels

enhancement New feature or request ui

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@LinuxSuRen @yuluo-yx