-
-
Notifications
You must be signed in to change notification settings - Fork 489
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DOI / Update DOI widget in editor #8468
base: main
Are you sure you want to change the base?
Conversation
* DOI server can be retrieved by editor by id or uuid * Updating a DOI is only allowed when a server is configured for the DOI prefix * DOI server list is disabled in update mode
@@ -85,24 +108,55 @@ | |||
* the metadata is published. | |||
* | |||
*/ | |||
function canPublishDoiForResource(md, resource) { | |||
function canPublishDoiForResource(md, doiUrl) { | |||
if (doiUrl == null || doiUrl.indexOf("doi.org/") === -1) { |
Check failure
Code scanning / CodeQL
Incomplete URL substring sanitization High
doi.org/
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI about 1 month ago
To fix the problem, we need to ensure that the URL is parsed and the host is explicitly checked against a whitelist of allowed hosts. This will prevent attackers from embedding "doi.org/" in unexpected parts of the URL. We will use the URL
constructor available in modern JavaScript to parse the URL and then check the host.
- Parse the
doiUrl
using theURL
constructor. - Extract the host from the parsed URL.
- Check if the host matches the expected "doi.org" or any allowed subdomains.
-
Copy modified lines R112-R121
@@ -111,3 +111,12 @@ | ||
function canPublishDoiForResource(md, doiUrl) { | ||
if (doiUrl == null || doiUrl.indexOf("doi.org/") === -1) { | ||
if (doiUrl == null) { | ||
return false; | ||
} | ||
try { | ||
var parsedUrl = new URL(doiUrl); | ||
var host = parsedUrl.host; | ||
if (host !== "doi.org" && !host.endsWith(".doi.org")) { | ||
return false; | ||
} | ||
} catch (e) { | ||
return false; |
!isMdWorkflowEnableForMetadata | ||
); | ||
} | ||
|
||
function checkDoiManagementForResource(md, resource) { | ||
if (resource.locUrl == null || resource.locUrl.indexOf("doi.org/") === -1) { |
Check failure
Code scanning / CodeQL
Incomplete URL substring sanitization High
doi.org/
Quality Gate failedFailed conditions |
Follow up of #8098
Checklist
main
branch, backports managed with labelREADME.md
filespom.xml
dependency management. Update build documentation with intended library use and library tutorials or documentationFunded by Ifremer