From fe87edfefe6aec7a61673793e8d36f7360a916b8 Mon Sep 17 00:00:00 2001 From: Peter Dave Hello Date: Fri, 18 Oct 2024 00:36:54 +0800 Subject: [PATCH] Fix code scanning alert no. 10: Incomplete URL substring sanitization (#918) Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> --- src/background.js | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/src/background.js b/src/background.js index 5790081d66..11ea6aa6cf 100644 --- a/src/background.js +++ b/src/background.js @@ -9,6 +9,8 @@ import { setMenuItems } from "./menu"; import updateApp from "./update"; const isDevelopment = process.env.NODE_ENV !== "production"; +const allowedDomains = ["aliyun.com", "qianwen.aliyun.com"]; + const DEFAULT_USER_AGENT = ""; // Empty string to use the Electron default /** @type {BrowserWindow} */ let mainWindow = null; @@ -191,10 +193,7 @@ async function createWindow() { newCookie.domain = cookie.domain; } // Handle the session cookie for QianWen - if ( - cookie.domain.startsWith(".aliyun.com") || - cookie.domain.startsWith("qianwen.aliyun.com") - ) { + if (isAllowedDomain(cookie.domain)) { newCookie.expirationDate = setCookieExpireDate(7); } await win.webContents.session.cookies.set(newCookie); @@ -205,6 +204,22 @@ async function createWindow() { }, ); + function isAllowedDomain(domain) { + try { + const parsedHost = new URL( + `https://${domain.startsWith(".") ? domain.substring(1) : domain}`, + ).host; + return allowedDomains.some( + (allowedDomain) => + parsedHost === allowedDomain || + parsedHost.endsWith(`.${allowedDomain}`), + ); + } catch (error) { + console.error("Error parsing domain in isAllowedDomain:", domain, error); + return false; + } + } + // Modify the Referer header for each request and special patch for some sites. win.webContents.session.webRequest.onBeforeSendHeaders( (details, callback) => {