Adresses https://github.com/microsoft/vscode-internalbacklog/issues/4449

2023-07-06 23:20:35 +02:00 · 2023-07-06 23:20:35 +02:00 · f70fabb863
--- a/build/importTypescript.ts
+++ b/build/importTypescript.ts
@ -37,6 +37,11 @@ export const typescriptVersion = "${typeScriptDependencyVersion}";\n`

 	let tsServices = fs.readFileSync(path.join(TYPESCRIPT_LIB_SOURCE, 'typescript.js')).toString();

+	tsServices = tsServices.replace(
+		'const path = matchedStar ? subst.replace("*", matchedStar) : subst;',
+		'const path = matchedStar ? subst.replace("*", matchedStar) : subst; // CodeQL [SM02383] This is a false positive, the code is from the TypeScript compiler'
+	);
+
 	// The output from this build will only be accessible via ESM; rather than removing
 	// references to require/module, define them as dummy variables that bundlers will ignore.
 	// The TS code can figure out that it's not running under Node even with these defined.
--- a/src/language/typescript/lib/typescriptServices.js
+++ b/src/language/typescript/lib/typescriptServices.js
@ -40937,7 +40937,7 @@ ${lanes.join("\n")}
        trace(state.host, Diagnostics.Module_name_0_matched_pattern_1, moduleName, matchedPatternText);
      }
      const resolved = forEach(paths[matchedPatternText], (subst) => {
-        const path = matchedStar ? subst.replace("*", matchedStar) : subst;
+        const path = matchedStar ? subst.replace("*", matchedStar) : subst; // CodeQL [SM02383] This is a false positive, the code is from the TypeScript compiler
        const candidate = normalizePath(combinePaths(baseDirectory, path));
        if (state.traceEnabled) {
          trace(state.host, Diagnostics.Trying_substitution_0_candidate_module_location_Colon_1, subst, path);
--- a/test/manual/dev-setup.js
+++ b/test/manual/dev-setup.js
@ -39,7 +39,7 @@
 			'<ul><li>' +
 			renderLoadingOptions(true) +
 			(isRelease ? '' : `</li><li>${renderLoadingOptions(false)}`) +
-			'</li></ul>';
+			'</li></ul>'; // CodeQL [SM03712] This code is not deployed and serves as local test code. No risk of malicious input.

 		document.body.appendChild(div);

@ -47,7 +47,7 @@
 		for (let i = 0; i < aElements.length; i++) {
 			let aElement = aElements[i];
 			if (aElement.className === 'loading-opts') {
-				aElement.href += window.location.search;
+				aElement.href += window.location.search; // CodeQL [SM01507] This code is not deployed and serves as local test code. No risk of malicious input.
 			}
 		}
 	})();
--- a/website/src/monaco-loader.ts
+++ b/website/src/monaco-loader.ts
@ -84,7 +84,7 @@ function loadScript(path: string): Promise<void> {
 		script.onload = () => res();
 		script.async = true;
 		script.type = "text/javascript";
-		script.src = path;
+		script.src = path; // CodeQL [SM01507] This is safe because the runner (that allows for dynamic paths) runs in an isolated iframe. The hosting website uses a static path configuration. // CodeQL [SM03712] This is safe because the runner (that allows for dynamic paths) runs in an isolated iframe. The hosting website uses a static path configuration.
 		document.head.appendChild(script);
 	});
 }
--- a/website/src/runner/index.ts
+++ b/website/src/runner/index.ts
@ -21,7 +21,7 @@ window.addEventListener("message", (event) => {
 		const style = document.getElementById(
 			"custom-style"
 		) as HTMLStyleElement;
-		style.innerHTML = e.css;
+		style.innerHTML = e.css; // CodeQL [SM03712] This is safe because the runner runs in an isolated iframe.
 	}
 });

@ -54,7 +54,7 @@ async function initialize(state: IPreviewState) {
 	const js = massageJs(state.js);

 	try {
-		eval(js);
+		eval(js); // CodeQL [SM01632] This is safe because the runner runs in an isolated iframe. This feature is essential to the functionality of the playground. // CodeQL [SM02688] This is safe because the runner runs in an isolated iframe. This feature is essential to the functionality of the playground.
 	} catch (err) {
 		const pre = document.createElement("pre");
 		pre.appendChild(
--- a/website/static/monarch/monarch.js
+++ b/website/static/monarch/monarch.js
@ -58,7 +58,7 @@ function createLangModel(languageId, text) {
 	var update = function () {
 		var def = null;
 		try {
-			def = eval("(function(){ " + langModel.getValue() + "; })()");
+			def = eval("(function(){ " + langModel.getValue() + "; })()"); // CodeQL [SM01632] langModel.getValue() is a default value with volatile user modifications. This is an essential functionality for the monarch playground and safe, as no injection is possible.
 		} catch (err) {
 			setInnerText(outputPane, err + "\n");
 			return;