Skip to content

Don't try to show enterprise avatars#8175

Merged
alexr00 merged 1 commit intomainfrom
alexr00/loose-coyote
Nov 20, 2025
Merged

Don't try to show enterprise avatars#8175
alexr00 merged 1 commit intomainfrom
alexr00/loose-coyote

Conversation

@alexr00
Copy link
Member

@alexr00 alexr00 commented Nov 20, 2025

Fixes #8152

@alexr00 alexr00 enabled auto-merge (squash) November 20, 2025 11:31
@alexr00 alexr00 self-assigned this Nov 20, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 20, 2025
View reviewed changes
webviews/components/user.tsx
const InnerAvatar = ({ for: author }: { for: Partial<IAccount> }) => (
<>
{author.avatarUrl ? (
{author.avatarUrl && author.avatarUrl.includes('githubusercontent.com') ? (

Check failure

Code scanning / CodeQL

Incomplete URL substring sanitization High

'
githubusercontent.com
Loading
' can be anywhere in the URL, and arbitrary hosts may come before or after it.

Copilot Autofix

AI 3 months ago

To fix the issue, the code must reliably verify that the image avatar URL is actually hosted on a trusted domain (githubusercontent.com). Instead of performing a substring check on the entire URL (which could match on path/query, not just the host), we should parse the URL and compare its host property. The best approach is to use the built-in URL constructor (safe in recent browsers and Node.js) to extract the host/domain, and then explicitly check for exact matches or valid subdomains.

Modify line 12 in webviews/components/user.tsx:

  • Parse author.avatarUrl using the URL constructor.
  • Check if the hostname is exactly githubusercontent.com or ends with .githubusercontent.com (to allow subdomains, if intended).
  • Only show the avatar image if this stricter check passes.

No external dependencies are needed.

Suggested changeset 1
webviews/components/user.tsx

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/webviews/components/user.tsx b/webviews/components/user.tsx
--- a/webviews/components/user.tsx
+++ b/webviews/components/user.tsx
@@ -9,7 +9,20 @@
 
 const InnerAvatar = ({ for: author }: { for: Partial<IAccount> }) => (
 	<>
-		{author.avatarUrl && author.avatarUrl.includes('githubusercontent.com') ? (
+		{author.avatarUrl && (() => {
+			try {
+				const host = new URL(author.avatarUrl).hostname;
+				// Only allow githubusercontent.com or its subdomains
+				if (host === 'githubusercontent.com' || host.endsWith('.githubusercontent.com')) {
+					return (
+						<img className="avatar" src={author.avatarUrl} alt="" role="presentation" aria-hidden="true"/>
+					);
+				}
+			} catch {
+				// Malformed URL: fallback to icon
+			}
+			return null;
+		})() ? (
 			<img className="avatar" src={author.avatarUrl} alt="" role="presentation" aria-hidden="true"/>
 		) : (
 			<Icon className="avatar-icon" src={require('../../resources/icons/dark/github.svg')} />
EOF
@@ -9,7 +9,20 @@

const InnerAvatar = ({ for: author }: { for: Partial<IAccount> }) => (
<>
{author.avatarUrl && author.avatarUrl.includes('githubusercontent.com') ? (
{author.avatarUrl && (() => {
try {
const host = new URL(author.avatarUrl).hostname;
// Only allow githubusercontent.com or its subdomains
if (host === 'githubusercontent.com' || host.endsWith('.githubusercontent.com')) {
return (
<img className="avatar" src={author.avatarUrl} alt="" role="presentation" aria-hidden="true"/>
);
}
} catch {
// Malformed URL: fallback to icon
}
return null;
})() ? (
<img className="avatar" src={author.avatarUrl} alt="" role="presentation" aria-hidden="true"/>
) : (
<Icon className="avatar-icon" src={require('../../resources/icons/dark/github.svg')} />
Copilot is powered by AI and may make mistakes. Always verify output.
@vs-code-engineering vs-code-engineering bot added this to the November 2025 milestone Nov 20, 2025
@alexr00 alexr00 merged commit 44310d9 into main Nov 20, 2025
5 of 6 checks passed
@alexr00 alexr00 deleted the alexr00/loose-coyote branch November 20, 2025 11:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bpasero bpasero bpasero approved these changes

Assignees

@alexr00 alexr00

Labels

None yet

Projects

None yet

Milestone

November 2025

Development

Successfully merging this pull request may close these issues.

Avatar does not show in PR details page

2 participants

@alexr00 @bpasero