Skip to content

Potential fix for code scanning alert no. 1: Incomplete URL substring sanitization#32

Merged
dev-Ninjaa merged 1 commit into
mainfrom
alert-autofix-1
Feb 17, 2026
Merged

Potential fix for code scanning alert no. 1: Incomplete URL substring sanitization#32
dev-Ninjaa merged 1 commit into
mainfrom
alert-autofix-1

Conversation

@dev-Ninjaa

Copy link
Copy Markdown
Member

Potential fix for https://github.com/Luxion-Labs/PulmNotes/security/code-scanning/1

In general, the fix is to stop checking for placeholder.com or picsum.photos on the entire URL string and instead parse the URL and inspect only its host, ensuring that those domain names actually appear in the hostname (and not in query/path), and in a controlled way (e.g., exact match or well-defined subdomains). This avoids situations where an arbitrary host embeds the substring in a non-host component.

For this specific code, the minimal, behavior‑preserving change is:

  1. Parse url with the standard URL constructor (available in modern Node and browsers) in a small helper that safely returns null on invalid input.
  2. Extract the hostname (parsed.hostname) and compare against a small whitelist of allowed image hostnames (picsum.photos, www.picsum.photos, placeholder.com, www.placeholder.com).
  3. Replace url.includes('picsum.photos') || url.includes('placeholder.com') with calls to this hostname‑based check.
  4. Keep the rest of the logic unchanged (the regex for file extensions, the video extraction functions, etc.).

To implement this, within app/lib/richContentParser.ts:

  • Add a helper function getHostname(url: string): string | null near the bottom of the file (for example, after extractVimeoId) that uses new URL(url) and catches errors.

  • In the image detection condition at line 45, compute const host = getHostname(url); and adjust the condition to:

    • Still accept image URLs based on extension, unchanged.
    • Additionally accept URLs where host is in a small array of allowed image hosts.

No new imports are strictly required since URL is globally available in modern Node.js and browsers; if this code runs in such an environment, we can rely on it directly.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

… sanitization

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@dev-Ninjaa dev-Ninjaa marked this pull request as ready for review February 17, 2026 08:17
@dev-Ninjaa dev-Ninjaa merged commit 9d9a3e0 into main Feb 17, 2026
4 of 9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant