acmcarther/qwen-code
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 6

Potential fix for code scanning alert no. 24: Incomplete URL substring sanitization

Browse source 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
This commit is contained in:
tanzhenxin 2025-08-15 17:10:20 +08:00 committed by GitHub
parent 5d4a9452d8
commit a925ac56fa
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 12 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
packages/core/src/tools/web-fetch.ts
View file

@ -174,10 +174,18 @@ ${textContent}
// Perform GitHub URL conversion here to differentiate between user-provided // Perform GitHub URL conversion here to differentiate between user-provided
// URL and the actual URL to be fetched. // URL and the actual URL to be fetched.
let url = params.url; let url = params.url;
if (url.includes('github.com') && url.includes('/blob/')) { try {
url = url const parsedUrl = new URL(url);
.replace('github.com', 'raw.githubusercontent.com') if (
.replace('/blob/', '/'); parsedUrl.hostname === 'github.com' &&
parsedUrl.pathname.includes('/blob/')
) {
url = url
.replace('github.com', 'raw.githubusercontent.com')
.replace('/blob/', '/');
}
} catch (e) {
// If the URL is invalid, leave it unchanged (or handle as needed)
} }
const confirmationDetails: ToolCallConfirmationDetails = { const confirmationDetails: ToolCallConfirmationDetails = {