feat: Custom lint rules#9920
Draft
fiosman wants to merge 53 commits into
Draft
Conversation
…ruleset file [INS-2338] Co-authored-by: Copilot <copilot@github.com>
Co-authored-by: Copilot <copilot@github.com>
…ects Co-authored-by: Copilot <copilot@github.com>
Co-authored-by: Copilot <copilot@github.com>
Co-authored-by: Copilot <copilot@github.com>
… field; change from FormData to JSON
Co-authored-by: Copilot <copilot@github.com>
Co-authored-by: Copilot <copilot@github.com>
Co-authored-by: Copilot <copilot@github.com>
✅ Circular References ReportGenerated at: 2026-05-20T15:18:12.887Z Summary
Click to view all circular references in PR (19)Click to view all circular references in base branch (19)Analysis✅ No Change: This PR does not introduce or remove any circular references. This report was generated automatically by comparing against the |
…set with severity tuples in extends
Comment on lines
+57
to
+66
| export function isPrivateOrLoopbackHost(hostname: string): boolean { | ||
| if (hostname === 'localhost' || hostname.endsWith('.localhost')) { | ||
| return true; | ||
| } | ||
| const host = hostname.startsWith('[') && hostname.endsWith(']') ? hostname.slice(1, -1) : hostname; | ||
| if (!ipaddr.isValid(host)) { | ||
| return false; | ||
| } | ||
| return ipaddr.process(host).range() !== 'unicast'; | ||
| } |
Contributor
There was a problem hiding this comment.
Confirmed this can be circumventable during domain resolution to hit localhost. If the domain resolves to 127.0.0.1 it's possible to interact with internal services. You can URL https://app.localtest.me/rules.yaml to verify.
| const SAFE_URL_SCHEMES = ['https:']; | ||
|
|
||
| // Check if path is absolute file path (e.g. /foo/bar.yaml, C:\foo\bar.yaml, \\server\share\file.yaml) | ||
| function isAbsoluteFilePath(value: string): boolean { |
Contributor
There was a problem hiding this comment.
Any way to use insecureReadFile() to limit this based on what users grant access to within settings?
|
|
||
| // Check if path is absolute file path (e.g. /foo/bar.yaml, C:\foo\bar.yaml, \\server\share\file.yaml) | ||
| function isAbsoluteFilePath(value: string): boolean { | ||
| return value.startsWith('/') || value.startsWith('\\\\') || /^[A-Za-z]:[\\/]/.test(value); |
Contributor
There was a problem hiding this comment.
Haven't found a way to leverage this into anything, but came up anyway. Depending on OS thevalue.startsWith('\\\\') || /^[A-Za-z]:[\\/]/.test(value); will resolve as a relative path. Any way to do a conditional check of OS to prevent that?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adding tests