Tatsh / wiswa / 26271312370

100%

push

github

tool.utils.postprocess: validate npm registry by hostname

The README badge generator previously gated the npmjs.com NPM Version /
NPM Downloads badges with
``publish_registry.startswith('https://registry.npmjs.org')``. A
spoofed `publishConfig.registry` such as
``https://registry.npmjs.org.evil.example/`` matched the prefix and
caused the generator to emit npmjs.com badges that linked to a wrong
(or attacker-chosen) package page.

Parse the registry URL with :py:func:`urllib.parse.urlparse` and check
``hostname == 'registry.npmjs.org'`` instead. Substring sanitisation on
URL strings is bypass-prone (CWE-20); hostname equality after parsing
is the recommended pattern.

Regression test:
``test_post_process_steps_badges_typescript_spoofed_registry_rejected``
asserts that the exact attack URL is rejected (no
``img.shields.io/npm/v/`` or ``img.shields.io/npm/dm/`` badges are
emitted). Blue-Army verified: stashing the fix makes the new test fail
with the buggy substring detected.

Fixes CodeQL alert
https://github.com/Tatsh/wiswa/security/code-scanning/4
(``py/incomplete-url-substring-sanitization``, CWE-20, high severity).

Signed-off-by: Andrew Udvare <audvare@gmail.com>

371 of 371 branches covered (100.0%)

Branch coverage included in aggregate %.

3 of 3 new or added lines in 1 file covered. (100.0%)

1944 of 1944 relevant lines covered (100.0%)

5.0 hits per line