Added a CodeQL workflow to check for bugs through code analysis. Fixed numerous bugs and implemented safeguards as already reported.

2025-04-24 00:36:16 -04:00 · 2021-02-10 13:13:19 +00:00 · 2021-02-10 13:13:19 +00:00 · 1abc46058c
commit 1abc46058c
parent 892a3716ed
32 changed files with 87 additions and 61 deletions
--- a/src/web/HTMLIngredient.mjs
+++ b/src/web/HTMLIngredient.mjs
@ -153,7 +153,7 @@ class HTMLIngredient {
                for (i = 0; i < this.value.length; i++) {
                    if ((m = this.value[i].match(/\[([a-z0-9 -()^]+)\]/i))) {
                        html += `<optgroup label="${m[1]}">`;
-                    } else if ((m = this.value[i].match(/\[\/([a-z0-9 -()^]+)\]/i))) {
+                    } else if (this.value[i].match(/\[\/([a-z0-9 -()^]+)\]/i)) {
                        html += "</optgroup>";
                    } else {
                        html += `<option ${this.defaultIndex === i ? "selected" : ""}>${this.value[i]}</option>`;
@ -177,7 +177,7 @@ class HTMLIngredient {
                for (i = 0; i < this.value.length; i++) {
                    if ((m = this.value[i].name.match(/\[([a-z0-9 -()^]+)\]/i))) {
                        html += `<optgroup label="${m[1]}">`;
-                    } else if ((m = this.value[i].name.match(/\[\/([a-z0-9 -()^]+)\]/i))) {
+                    } else if (this.value[i].name.match(/\[\/([a-z0-9 -()^]+)\]/i)) {
                        html += "</optgroup>";
                    } else {
                        const val = this.type === "populateMultiOption" ?
--- a/src/web/HTMLOperation.mjs
+++ b/src/web/HTMLOperation.mjs
@ -5,6 +5,7 @@
 */

 import HTMLIngredient from "./HTMLIngredient.mjs";
+import Utils from "../core/Utils.mjs";


 /**
@ -72,7 +73,7 @@ class HTMLOperation {
     * @returns {string}
     */
    toFullHtml() {
-        let html = `<div class="op-title">${this.name}</div>
+        let html = `<div class="op-title">${Utils.escapeHtml(this.name)}</div>
        <div class="ingredients">`;

        for (let i = 0; i < this.ingList.length; i++) {
@ -151,15 +152,16 @@ class HTMLOperation {
 */
 function titleFromWikiLink(url) {
    const splitURL = url.split("/");
-    if (splitURL.indexOf("wikipedia.org") < 0 && splitURL.indexOf("forensicswiki.org") < 0) {
+    if (!splitURL.includes("wikipedia.org") && !splitURL.includes("forensicswiki.xyz")) {
        // Not a wiki link, return full URL
        return `<a href='${url}' target='_blank'>More Information<i class='material-icons inline-icon'>open_in_new</i></a>`;
    }

-    const wikiName = splitURL.indexOf("forensicswiki.org") < 0 ? "Wikipedia" : "Forensics Wiki";
+    const wikiName = splitURL.includes("forensicswiki.xyz") ? "Forensics Wiki" : "Wikipedia";

    const pageTitle = decodeURIComponent(splitURL[splitURL.length - 1])
-        .replace(/_/g, " ");
+        .replace(/_/g, " ")
+        .replace(/index\.php\?title=/g, "");
    return `<a href='${url}' target='_blank'>${pageTitle}<i class='material-icons inline-icon'>open_in_new</i></a> on ${wikiName}`;
 }

--- a/src/web/html/index.html
+++ b/src/web/html/index.html
@ -153,7 +153,7 @@
                        <script type="text/javascript">
                            // Must be text/javascript rather than application/javascript otherwise IE won't recognise it...
                            if (navigator.userAgent && navigator.userAgent.match(/Trident/)) {
-                                document.write("Internet Explorer is not supported, please use Firefox or Chrome instead");
+                                document.getElementById("notice").innerHTML += "Internet Explorer is not supported, please use Firefox or Chrome instead";
                                alert("Internet Explorer is not supported, please use Firefox or Chrome instead");
                            }
                        </script>
--- a/src/web/waiters/ControlsWaiter.mjs
+++ b/src/web/waiters/ControlsWaiter.mjs
@ -102,7 +102,7 @@ class ControlsWaiter {
        const saveLinkEl = document.getElementById("save-link");
        const saveLink = this.generateStateUrl(includeRecipe, includeInput, recipeConfig);

-        saveLinkEl.innerHTML = Utils.truncate(saveLink, 120);
+        saveLinkEl.innerHTML = Utils.escapeHtml(Utils.truncate(saveLink, 120));
        saveLinkEl.setAttribute("href", saveLink);
    }

@ -138,7 +138,7 @@ class ControlsWaiter {

        const params = [
            includeRecipe ? ["recipe", recipeStr] : undefined,
-            includeInput ? ["input", input] : undefined,
+            includeInput ? ["input", Utils.escapeHtml(input)] : undefined,
        ];

        const hash = params
--- a/src/web/waiters/InputWaiter.mjs
+++ b/src/web/waiters/InputWaiter.mjs
@ -510,10 +510,6 @@ class InputWaiter {
        if (inputNum !== activeTab) return;

        const fileLoaded = document.getElementById("input-file-loaded");
-        let oldProgress = fileLoaded.textContent;
-        if (oldProgress !== "Error") {
-            oldProgress = parseInt(oldProgress.replace("%", ""), 10);
-        }
        if (progress === "error") {
            fileLoaded.textContent = "Error";
            fileLoaded.style.color = "#FF0000";
@ -1276,7 +1272,7 @@ class InputWaiter {
        const func = function(time) {
            if (this.mousedown) {
                this.changeTabRight();
-                const newTime = (time > 50) ? time = time - 10 : 50;
+                const newTime = (time > 50) ? time - 10 : 50;
                setTimeout(func.bind(this, [newTime]), newTime);
            }
        };
@ -1293,7 +1289,7 @@ class InputWaiter {
        const func = function(time) {
            if (this.mousedown) {
                this.changeTabLeft();
-                const newTime = (time > 50) ? time = time - 10 : 50;
+                const newTime = (time > 50) ? time - 10 : 50;
                setTimeout(func.bind(this, [newTime]), newTime);
            }
        };
--- a/src/web/waiters/OperationsWaiter.mjs
+++ b/src/web/waiters/OperationsWaiter.mjs
@ -121,7 +121,7 @@ class OperationsWaiter {
            if (nameMatch || descPos >= 0) {
                const operation = new HTMLOperation(opName, this.app.operations[opName], this.app, this.manager);
                if (highlight) {
-                    operation.highlightSearchStrings(calcMatchRanges(idxs) || [], [[descPos, inStr.length]]);
+                    operation.highlightSearchStrings(calcMatchRanges(idxs), [[descPos, inStr.length]]);
                }

                if (nameMatch) {
--- a/src/web/waiters/OutputWaiter.mjs
+++ b/src/web/waiters/OutputWaiter.mjs
@ -306,8 +306,6 @@ class OutputWaiter {
                    outputText.value = "";
                    outputHtml.innerHTML = "";

-                    lines = 0;
-                    length = 0;
                    this.toggleLoader(false);
                    return;
                }
@ -765,7 +763,7 @@ class OutputWaiter {
        const func = function(time) {
            if (this.mousedown) {
                this.changeTabRight();
-                const newTime = (time > 50) ? time = time - 10 : 50;
+                const newTime = (time > 50) ? time - 10 : 50;
                setTimeout(func.bind(this, [newTime]), newTime);
            }
        };
@ -782,7 +780,7 @@ class OutputWaiter {
        const func = function(time) {
            if (this.mousedown) {
                this.changeTabLeft();
-                const newTime = (time > 50) ? time = time - 10 : 50;
+                const newTime = (time > 50) ? time - 10 : 50;
                setTimeout(func.bind(this, [newTime]), newTime);
            }
        };
--- a/src/web/waiters/RecipeWaiter.mjs
+++ b/src/web/waiters/RecipeWaiter.mjs
@ -316,7 +316,7 @@ class RecipeWaiter {
                    };
                } else if (ingList[j].getAttribute("type") === "number") {
                    // number
-                    ingredients[j] = parseFloat(ingList[j].value, 10);
+                    ingredients[j] = parseFloat(ingList[j].value);
                } else {
                    // all others
                    ingredients[j] = ingList[j].value;