Make URL parsing more robust

github · Sep 28, 2020 · c4dc1b0 · c4dc1b0
1 parent 2841489
commit c4dc1b0
Showing 9 changed files with 179 additions and 47 deletions.
diff --git a/lib/runner.js b/lib/runner.js
diff --git a/lib/runner.js.map b/lib/runner.js.map
diff --git a/lib/util.js b/lib/util.js
diff --git a/lib/util.js.map b/lib/util.js.map
diff --git a/lib/util.test.js b/lib/util.test.js
diff --git a/lib/util.test.js.map b/lib/util.test.js.map
diff --git a/src/runner.ts b/src/runner.ts
@@ -12,32 +12,16 @@ import { Language, parseLanguage } from "./languages";
 import { getRunnerLogger } from "./logging";
 import { parseRepositoryNwo } from "./repository";
 import * as upload_lib from "./upload-lib";
-import { getAddSnippetsFlag, getMemoryFlag, getThreadsFlag } from "./util";
+import {
+  getAddSnippetsFlag,
+  getMemoryFlag,
+  getThreadsFlag,
+  parseGithubUrl,
+} from "./util";
 
 const program = new Command();
 program.version("0.0.1");
 
-function parseGithubUrl(inputUrl: string): string {
-  try {
-    const url = new URL(inputUrl);
-
-    // If we detect this is trying to be to github.com
-    // then return with a fixed canonical URL.
-    if (url.hostname === "github.com" || url.hostname === "api.github.com") {
-      return "https://github.com";
-    }
-
-    // Remove the API prefix if it's present
-    if (url.pathname.indexOf("/api/v3") !== -1) {
-      url.pathname = url.pathname.substring(0, url.pathname.indexOf("/api/v3"));
-    }
-
-    return url.toString();
-  } catch (e) {
-    throw new Error(`"${inputUrl}" is not a valid URL`);
-  }
-}
-
 function getTempDir(userInput: string | undefined): string {
   const tempDir = path.join(userInput || process.cwd(), "codeql-runner");
   if (!fs.existsSync(tempDir)) {

diff --git a/src/util.test.ts b/src/util.test.ts
@@ -122,3 +122,63 @@ test("getExtraOptionsEnvParam() fails on invalid JSON", (t) => {
 
   process.env.CODEQL_ACTION_EXTRA_OPTIONS = origExtraOptions;
 });
+
+test("parseGithubUrl", (t) => {
+  t.deepEqual(util.parseGithubUrl("github.com"), "https://github.com/");
+  t.deepEqual(util.parseGithubUrl("https://github.com"), "https://github.com/");
+  t.deepEqual(
+    util.parseGithubUrl("https://api.github.com"),
+    "https://github.com/"
+  );
+  t.deepEqual(
+    util.parseGithubUrl("https://github.com/foo/bar"),
+    "https://github.com/"
+  );
+
+  t.deepEqual(
+    util.parseGithubUrl("github.example.com"),
+    "https://github.example.com/"
+  );
+  t.deepEqual(
+    util.parseGithubUrl("https://github.example.com"),
+    "https://github.example.com/"
+  );
+  t.deepEqual(
+    util.parseGithubUrl("https://api.github.example.com"),
+    "https://github.example.com/"
+  );
+  t.deepEqual(
+    util.parseGithubUrl("https://github.example.com/api/v3"),
+    "https://github.example.com/"
+  );
+  t.deepEqual(
+    util.parseGithubUrl("https://github.example.com:1234"),
+    "https://github.example.com:1234/"
+  );
+  t.deepEqual(
+    util.parseGithubUrl("https://api.github.example.com:1234"),
+    "https://github.example.com:1234/"
+  );
+  t.deepEqual(
+    util.parseGithubUrl("https://github.example.com:1234/api/v3"),
+    "https://github.example.com:1234/"
+  );
+  t.deepEqual(
+    util.parseGithubUrl("https://github.example.com/base/path"),
+    "https://github.example.com/base/path/"
+  );
+  t.deepEqual(
+    util.parseGithubUrl("https://github.example.com/base/path/api/v3"),
+    "https://github.example.com/base/path/"
+  );
+
+  t.throws(() => util.parseGithubUrl(""), {
+    message: '"" is not a valid URL',
+  });
+  t.throws(() => util.parseGithubUrl("ssh://github.com"), {
+    message: '"ssh://github.com" is not a http or https URL',
+  });
+  t.throws(() => util.parseGithubUrl("http:///::::433"), {
+    message: '"http:///::::433" is not a valid URL',
+  });
+});
diff --git a/src/util.ts b/src/util.ts
@@ -165,3 +165,46 @@ export function getCodeQLDatabasesDir(tempDir: string) {
 export function getCodeQLDatabasePath(tempDir: string, language: Language) {
   return path.resolve(getCodeQLDatabasesDir(tempDir), language);
 }
+
+/**
+ * Parses user input of a github.com or GHES URL to a canonical form.
+ * Removes any API prefix or suffix if one is present.
+ */
+export function parseGithubUrl(inputUrl: string): string {
+  const originalUrl = inputUrl;
+  if (inputUrl.indexOf("://") === -1) {
+    inputUrl = `https://${inputUrl}`;
+  }
+  if (!inputUrl.startsWith("http://") && !inputUrl.startsWith("https://")) {
+    throw new Error(`"${originalUrl}" is not a http or https URL`);
+  }
+
+  let url: URL;
+  try {
+    url = new URL(inputUrl);
+  } catch (e) {
+    throw new Error(`"${originalUrl}" is not a valid URL`);
+  }
+
+  // If we detect this is trying to be to github.com
+  // then return with a fixed canonical URL.
+  if (url.hostname === "github.com" || url.hostname === "api.github.com") {
+    return "https://github.com/";
+  }
+
+  // Remove the API prefix if it's present
+  if (url.pathname.indexOf("/api/v3") !== -1) {
+    url.pathname = url.pathname.substring(0, url.pathname.indexOf("/api/v3"));
+  }
+  // Also consider subdomain isolation on GHES
+  if (url.hostname.startsWith("api.")) {
+    url.hostname = url.hostname.substring(4);
+  }
+
+  // Normalise path to having a trailing slash for consistency
+  if (!url.pathname.endsWith("/")) {
+    url.pathname = `${url.pathname}/`;
+  }
+
+  return url.toString();
+}