fix: improve vscode-cdn.net URL validation and add copy action check

daniel-lxs · daniel-lxs · commit ab402bf1d9bd · 2025-09-23T15:06:27.000-05:00
- Fixed CodeQL security issue by properly validating vscode-cdn.net domain instead of substring check
- Added missing copy action check for HTTPS/vscode-cdn URLs before opening image
- Updated tests to match the more secure URL validation logic
diff --git a/src/integrations/misc/__tests__/image-handler.spec.ts b/src/integrations/misc/__tests__/image-handler.spec.ts
@@ -5,14 +5,17 @@ vi.mock("vscode", () => {
 	const showErrorMessage = vi.fn()
 	const file = vi.fn((p: string) => ({ fsPath: p, path: p, scheme: "file" }))
 	const parse = (input: string) => {
-		if (input.startsWith("https://") && input.includes("vscode-cdn.net")) {
+		if (input.startsWith("https://")) {
 			const url = new URL(input)
-			return {
-				scheme: "https",
-				authority: url.host,
-				path: url.pathname,
-				fsPath: url.pathname,
-				with: vi.fn(),
+			// More secure check: ensure vscode-cdn.net is the actual domain, not just a substring
+			if (url.host === "vscode-cdn.net" || url.host.endsWith(".vscode-cdn.net")) {
+				return {
+					scheme: "https",
+					authority: url.host,
+					path: url.pathname,
+					fsPath: url.pathname,
+					with: vi.fn(),
+				}
 			}
 		}
 		if (input.startsWith("file://")) {
diff --git a/src/integrations/misc/image-handler.ts b/src/integrations/misc/image-handler.ts
@@ -10,20 +10,24 @@ export async function openImage(dataUriOrPath: string, options?: { values?: { ac
 	// Example: https://file+.vscode-resource.vscode-cdn.net/file/<absolute_path_to_image>
 	try {
 		const u = vscode.Uri.parse(dataUriOrPath)
-		if (u.scheme === "https" && u.authority.includes("vscode-cdn.net")) {
+		if (
+			u.scheme === "https" &&
+			u.authority &&
+			(u.authority === "vscode-cdn.net" || u.authority.endsWith(".vscode-cdn.net"))
+		) {
 			let fsPath = decodeURIComponent(u.path || "")
 			// Strip the leading "/file/" prefix if present
 			if (fsPath.startsWith("/file/")) {
 				fsPath = fsPath.slice("/file/".length)
 			}
 			fsPath = path.normalize(fsPath)
 			if (fsPath) {
-				const fileUri = vscode.Uri.file(fsPath)
 				if (options?.values?.action === "copy") {
 					await vscode.env.clipboard.writeText(fsPath)
 					vscode.window.showInformationMessage(t("common:info.path_copied_to_clipboard"))
 					return
 				}
+				const fileUri = vscode.Uri.file(fsPath)
 				await vscode.commands.executeCommand("vscode.open", fileUri)
 				return
 			}
