SystemSh0cker/monaco-editor
1
0
Fork 0
mirror of https://github.com/microsoft/monaco-editor.git synced 2025-12-22 12:45:39 +01:00
Code Issues Projects Releases Packages Activity

Adresses https://github.com/microsoft/vscode-internalbacklog/issues/4449

Browse source
This commit is contained in:
Henning Dieterichs 2023-07-06 23:20:35 +02:00
parent 34f6c10073
commit f70fabb863
No known key found for this signature in database
GPG key ID: 771381EFFDB9EC06
6 changed files with 12 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

5
build/importTypescript.ts
View file

@ -37,6 +37,11 @@ export const typescriptVersion = "${typeScriptDependencyVersion}";\n`
let tsServices = fs.readFileSync(path.join(TYPESCRIPT_LIB_SOURCE, 'typescript.js')).toString(); let tsServices = fs.readFileSync(path.join(TYPESCRIPT_LIB_SOURCE, 'typescript.js')).toString();
tsServices = tsServices.replace(
'const path = matchedStar ? subst.replace("*", matchedStar) : subst;',
'const path = matchedStar ? subst.replace("*", matchedStar) : subst; // CodeQL [SM02383] This is a false positive, the code is from the TypeScript compiler'
);
// The output from this build will only be accessible via ESM; rather than removing // The output from this build will only be accessible via ESM; rather than removing
// references to require/module, define them as dummy variables that bundlers will ignore. // references to require/module, define them as dummy variables that bundlers will ignore.
// The TS code can figure out that it's not running under Node even with these defined. // The TS code can figure out that it's not running under Node even with these defined.

2
src/language/typescript/lib/typescriptServices.js
View file

@ -40937,7 +40937,7 @@ ${lanes.join("\n")}
trace(state.host, Diagnostics.Module_name_0_matched_pattern_1, moduleName, matchedPatternText); trace(state.host, Diagnostics.Module_name_0_matched_pattern_1, moduleName, matchedPatternText);
} }
const resolved = forEach(paths[matchedPatternText], (subst) => { const resolved = forEach(paths[matchedPatternText], (subst) => {
const path = matchedStar ? subst.replace("*", matchedStar) : subst; const path = matchedStar ? subst.replace("*", matchedStar) : subst; // CodeQL [SM02383] This is a false positive, the code is from the TypeScript compiler
const candidate = normalizePath(combinePaths(baseDirectory, path)); const candidate = normalizePath(combinePaths(baseDirectory, path));
if (state.traceEnabled) { if (state.traceEnabled) {
trace(state.host, Diagnostics.Trying_substitution_0_candidate_module_location_Colon_1, subst, path); trace(state.host, Diagnostics.Trying_substitution_0_candidate_module_location_Colon_1, subst, path);

4
test/manual/dev-setup.js
View file

@ -39,7 +39,7 @@
'<ul><li>' + '<ul><li>' +
renderLoadingOptions(true) + renderLoadingOptions(true) +
(isRelease ? '' : `</li><li>${renderLoadingOptions(false)}`) + (isRelease ? '' : `</li><li>${renderLoadingOptions(false)}`) +
'</li></ul>'; '</li></ul>'; // CodeQL [SM03712] This code is not deployed and serves as local test code. No risk of malicious input.
document.body.appendChild(div); document.body.appendChild(div);
@ -47,7 +47,7 @@
for (let i = 0; i < aElements.length; i++) { for (let i = 0; i < aElements.length; i++) {
let aElement = aElements[i]; let aElement = aElements[i];
if (aElement.className === 'loading-opts') { if (aElement.className === 'loading-opts') {
aElement.href += window.location.search; aElement.href += window.location.search; // CodeQL [SM01507] This code is not deployed and serves as local test code. No risk of malicious input.
} }
} }
})(); })();

2
website/src/monaco-loader.ts
View file

@ -84,7 +84,7 @@ function loadScript(path: string): Promise<void> {
script.onload = () => res(); script.onload = () => res();
script.async = true; script.async = true;
script.type = "text/javascript"; script.type = "text/javascript";
script.src = path; script.src = path; // CodeQL [SM01507] This is safe because the runner (that allows for dynamic paths) runs in an isolated iframe. The hosting website uses a static path configuration. // CodeQL [SM03712] This is safe because the runner (that allows for dynamic paths) runs in an isolated iframe. The hosting website uses a static path configuration.
document.head.appendChild(script); document.head.appendChild(script);
}); });
} }

4
website/src/runner/index.ts
View file

@ -21,7 +21,7 @@ window.addEventListener("message", (event) => {
const style = document.getElementById( const style = document.getElementById(
"custom-style" "custom-style"
) as HTMLStyleElement; ) as HTMLStyleElement;
style.innerHTML = e.css; style.innerHTML = e.css; // CodeQL [SM03712] This is safe because the runner runs in an isolated iframe.
} }
}); });
@ -54,7 +54,7 @@ async function initialize(state: IPreviewState) {
const js = massageJs(state.js); const js = massageJs(state.js);
try { try {
eval(js); eval(js); // CodeQL [SM01632] This is safe because the runner runs in an isolated iframe. This feature is essential to the functionality of the playground. // CodeQL [SM02688] This is safe because the runner runs in an isolated iframe. This feature is essential to the functionality of the playground.
} catch (err) { } catch (err) {
const pre = document.createElement("pre"); const pre = document.createElement("pre");
pre.appendChild( pre.appendChild(

2
website/static/monarch/monarch.js
View file

@ -58,7 +58,7 @@ function createLangModel(languageId, text) {
var update = function () { var update = function () {
var def = null; var def = null;
try { try {
def = eval("(function(){ " + langModel.getValue() + "; })()"); def = eval("(function(){ " + langModel.getValue() + "; })()"); // CodeQL [SM01632] langModel.getValue() is a default value with volatile user modifications. This is an essential functionality for the monarch playground and safe, as no injection is possible.
} catch (err) { } catch (err) {
setInnerText(outputPane, err + "\n"); setInnerText(outputPane, err + "\n");
return; return;