Skip to content

Video component#567

Merged
rajat1saxena merged 7 commits intomainfrom
rajat1saxena/issue566
Apr 4, 2025
Merged

Video component#567
rajat1saxena merged 7 commits intomainfrom
rajat1saxena/issue566

Conversation

@rajat1saxena
Copy link
Copy Markdown
Member

@rajat1saxena rajat1saxena commented Mar 30, 2025

No description provided.

github-advanced-security[bot]
github-advanced-security AI found potential problems Mar 30, 2025
View reviewed changes
Comment thread packages/components-library/src/video-with-preview.tsx
const detectVideoType = (): VideoType => {
const url = videoUrl.toLowerCase();

if (url.includes("youtube.com") || url.includes("youtu.be")) {

Check failure

Code scanning / CodeQL

Incomplete URL substring sanitization High

'
youtube.com
Loading
' can be anywhere in the URL, and arbitrary hosts may come before or after it.

Copilot Autofix

AI about 1 year ago

To fix the problem, we need to parse the URL and check the host value explicitly rather than using substring checks. This ensures that the host is exactly what we expect and not part of a larger, potentially malicious URL. We will use the URL class to parse the URL and then check the hostname against a whitelist of allowed hosts.

  • Parse the URL using the URL class.
  • Check the hostname against a whitelist of allowed hosts.
  • Update the detectVideoType function to use this new method.
Suggested changeset 1
packages/components-library/src/video-with-preview.tsx

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/components-library/src/video-with-preview.tsx b/packages/components-library/src/video-with-preview.tsx
--- a/packages/components-library/src/video-with-preview.tsx
+++ b/packages/components-library/src/video-with-preview.tsx
@@ -35,10 +35,15 @@
     const detectVideoType = (): VideoType => {
-        const url = videoUrl.toLowerCase();
+        try {
+            const url = new URL(videoUrl);
+            const hostname = url.hostname.toLowerCase();
 
-        if (url.includes("youtube.com") || url.includes("youtu.be")) {
-            return "youtube";
-        }
+            if (hostname === "youtube.com" || hostname === "www.youtube.com" || hostname === "youtu.be") {
+                return "youtube";
+            }
 
-        if (url.includes("vimeo.com")) {
-            return "vimeo";
+            if (hostname === "vimeo.com" || hostname === "www.vimeo.com") {
+                return "vimeo";
+            }
+        } catch (error) {
+            console.error("Invalid URL:", error);
         }
EOF
@@ -35,10 +35,15 @@
const detectVideoType = (): VideoType => {
const url = videoUrl.toLowerCase();
try {
const url = new URL(videoUrl);
const hostname = url.hostname.toLowerCase();

if (url.includes("youtube.com") || url.includes("youtu.be")) {
return "youtube";
}
if (hostname === "youtube.com" || hostname === "www.youtube.com" || hostname === "youtu.be") {
return "youtube";
}

if (url.includes("vimeo.com")) {
return "vimeo";
if (hostname === "vimeo.com" || hostname === "www.vimeo.com") {
return "vimeo";
}
} catch (error) {
console.error("Invalid URL:", error);
}
Copilot is powered by AI and may make mistakes. Always verify output.
Comment thread packages/components-library/src/video-with-preview.tsx
return "youtube";
}

if (url.includes("vimeo.com")) {

Check failure

Code scanning / CodeQL

Incomplete URL substring sanitization High

'
vimeo.com
Loading
' can be anywhere in the URL, and arbitrary hosts may come before or after it.

Copilot Autofix

AI about 1 year ago

To fix the problem, we need to parse the URL and check the host value instead of using a substring check. This ensures that the check is accurate and not prone to bypasses by embedding the target string in unexpected locations.

  • Parse the URL using the URL constructor.
  • Extract the host from the parsed URL.
  • Check if the host matches "vimeo.com" or "www.vimeo.com".
Suggested changeset 1
packages/components-library/src/video-with-preview.tsx

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/components-library/src/video-with-preview.tsx b/packages/components-library/src/video-with-preview.tsx
--- a/packages/components-library/src/video-with-preview.tsx
+++ b/packages/components-library/src/video-with-preview.tsx
@@ -41,4 +41,9 @@
 
-        if (url.includes("vimeo.com")) {
-            return "vimeo";
+        try {
+            const parsedUrl = new URL(videoUrl);
+            if (parsedUrl.hostname === "vimeo.com" || parsedUrl.hostname === "www.vimeo.com") {
+                return "vimeo";
+            }
+        } catch (error) {
+            console.error("Invalid URL:", error);
         }
EOF
@@ -41,4 +41,9 @@

if (url.includes("vimeo.com")) {
return "vimeo";
try {
const parsedUrl = new URL(videoUrl);
if (parsedUrl.hostname === "vimeo.com" || parsedUrl.hostname === "www.vimeo.com") {
return "vimeo";
}
} catch (error) {
console.error("Invalid URL:", error);
}
Copilot is powered by AI and may make mistakes. Always verify output.
@rajat1saxena rajat1saxena merged commit f3e6ede into main Apr 4, 2025
3 of 4 checks passed
This was referenced Apr 5, 2025
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rajat1saxena @github-advanced-security