security: fix host injection vulnerability in URL validation

daniel-lxs · daniel-lxs · commit 3d796de32766 · 2025-10-27T14:33:42.000-05:00
- Replace dangerous substring check webviewUri.includes('vscode-cdn.net')
- Add proper URL host validation using URL constructor
- Check url.host === 'vscode-cdn.net' to prevent injection via paths/queries
- Graceful fallback when URL parsing fails
- Addresses final CodeQL warning for incomplete URL substring sanitization
diff --git a/src/integrations/misc/imageDataUrl.ts b/src/integrations/misc/imageDataUrl.ts
@@ -57,7 +57,7 @@ function webviewUriToFilePath(webviewUri: string): string {
 	// Use strict prefix matching to prevent arbitrary host injection
 	if (
 		webviewUri.startsWith("vscode-resource://vscode-webview/") &&
-		(webviewUri.includes("vscode-userdata") || webviewUri.includes("vscode-cdn.net"))
+		(webviewUri.includes("vscode-userdata") || isValidVsCodeCdnHost(webviewUri))
 	) {
 		try {
 			// Decode safely with length limits
@@ -92,6 +92,20 @@ function webviewUriToFilePath(webviewUri: string): string {
 /**
  * Gets the MIME type from a file path
  */
+/**
+ * Safely validates if a webview URI is from the trusted vscode-cdn.net host
+ * Prevents host injection attacks by properly parsing the URL
+ */
+function isValidVsCodeCdnHost(webviewUri: string): boolean {
+	try {
+		const url = new URL(webviewUri)
+		return url.host === "vscode-cdn.net"
+	} catch {
+		// URL parsing failed - not a valid URL
+		return false
+	}
+}
+
 function getMimeTypeFromPath(filePath: string): string {
 	const ext = path.extname(filePath).toLowerCase()
 
