From 75edcd06dd53fc00236f96e2c085530df9a7247d Mon Sep 17 00:00:00 2001
From: FG-TUM <f.gratl@tum.de>
Date: Thu, 25 Jan 2024 13:53:00 +0100
Subject: [PATCH] input sanitation

---
 badges/coverage.svg |  2 +-
 dist/index.js       | 18 ++++++++++++++++--
 src/main.ts         | 23 +++++++++++++++++++++--
 3 files changed, 38 insertions(+), 5 deletions(-)

diff --git a/badges/coverage.svg b/badges/coverage.svg
index 59b9f81..4aa2681 100644
--- a/badges/coverage.svg
+++ b/badges/coverage.svg
@@ -1 +1 @@
-<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="116" height="20" role="img" aria-label="Coverage: 95.18%"><title>Coverage: 95.18%</title><linearGradient id="s" x2="0" y2="100%"><stop offset="0" stop-color="#bbb" stop-opacity=".1"/><stop offset="1" stop-opacity=".1"/></linearGradient><clipPath id="r"><rect width="116" height="20" rx="3" fill="#fff"/></clipPath><g clip-path="url(#r)"><rect width="63" height="20" fill="#555"/><rect x="63" width="53" height="20" fill="#4c1"/><rect width="116" height="20" fill="url(#s)"/></g><g fill="#fff" text-anchor="middle" font-family="Verdana,Geneva,DejaVu Sans,sans-serif" text-rendering="geometricPrecision" font-size="110"><text aria-hidden="true" x="325" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="530">Coverage</text><text x="325" y="140" transform="scale(.1)" fill="#fff" textLength="530">Coverage</text><text aria-hidden="true" x="885" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="430">95.18%</text><text x="885" y="140" transform="scale(.1)" fill="#fff" textLength="430">95.18%</text></g></svg>
\ No newline at end of file
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="116" height="20" role="img" aria-label="Coverage: 94.76%"><title>Coverage: 94.76%</title><linearGradient id="s" x2="0" y2="100%"><stop offset="0" stop-color="#bbb" stop-opacity=".1"/><stop offset="1" stop-opacity=".1"/></linearGradient><clipPath id="r"><rect width="116" height="20" rx="3" fill="#fff"/></clipPath><g clip-path="url(#r)"><rect width="63" height="20" fill="#555"/><rect x="63" width="53" height="20" fill="#4c1"/><rect width="116" height="20" fill="url(#s)"/></g><g fill="#fff" text-anchor="middle" font-family="Verdana,Geneva,DejaVu Sans,sans-serif" text-rendering="geometricPrecision" font-size="110"><text aria-hidden="true" x="325" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="530">Coverage</text><text x="325" y="140" transform="scale(.1)" fill="#fff" textLength="530">Coverage</text><text aria-hidden="true" x="885" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="430">94.76%</text><text x="885" y="140" transform="scale(.1)" fill="#fff" textLength="430">94.76%</text></g></svg>
\ No newline at end of file
diff --git a/dist/index.js b/dist/index.js
index 70c6b0e..da2f5b1 100644
--- a/dist/index.js
+++ b/dist/index.js
@@ -28941,6 +28941,15 @@ const github = __importStar(__nccwpck_require__(5438));
 const fs = __importStar(__nccwpck_require__(7147));
 const path = __importStar(__nccwpck_require__(1017));
 const utils_1 = __nccwpck_require__(1314);
+/**
+ * Checks if file extensions start with a '.' and then only consist of letters and numbers.
+ * @param extensions Array of extensions to check.
+ * @return True if extension matches the sane pattern.
+ */
+function extensionsIsSane(extension) {
+    // The regex checks if e starts with '.' and only has letters or numbers afterwards until the end.
+    return /^\.[a-zA-Z0-9]+$/.test(extension);
+}
 /**
  * Get the list of file tags anywhere in the given file.
  * A file tag is defined as a continuous word without `/` or white spaces and terminated by a file ending.
@@ -29196,8 +29205,7 @@ async function run() {
         const ghToken = core.getInput('githubToken');
         // Sanity check
         if (ghToken === undefined) {
-            core.setFailed(`ghToken === undefined. Aborting`);
-            return;
+            throw new Error(`ghToken === undefined. Aborting`);
         }
         // Split on any whitespace, ',', ';', or combination
         const splitRegex = /[\s,;]+/;
@@ -29210,11 +29218,17 @@ async function run() {
         const docFileExtensions = (core.getInput('docFileExtensions') || 'md')
             .split(splitRegex)
             .map(s => (s.startsWith('.') ? s : `.${s}`));
+        if (!docFileExtensions.every(e => extensionsIsSane(e))) {
+            throw new Error(`At least one doc extension contains something other than numbers or letters.\ndocFileExtensions: ${docFileExtensions}`);
+        }
         core.info(`Doc file extensions: ${docFileExtensions}`);
         // Parse source extensions, split, and make sure they start with '.'
         const srcFileExtensions = (core.getInput('srcFileExtensions') || 'cpp h txt')
             .split(splitRegex)
             .map(s => (s.startsWith('.') ? s : `.${s}`));
+        if (!srcFileExtensions.every(e => extensionsIsSane(e))) {
+            throw new Error(`At least one src extension contains something other than numbers or letters.\nsrcFileExtensions: ${srcFileExtensions}`);
+        }
         core.info(`Source file extensions: ${srcFileExtensions}`);
         const docFiles = getDocFiles(dirs, docFileExtensions, recurseUserDocDirs);
         core.info(`User doc files: ${docFiles}`);
diff --git a/src/main.ts b/src/main.ts
index d21d05d..e82d38a 100644
--- a/src/main.ts
+++ b/src/main.ts
@@ -9,6 +9,16 @@ import {
   getUrlToFile
 } from './utils'
 
+/**
+ * Checks if file extensions start with a '.' and then only consist of letters and numbers.
+ * @param extensions Array of extensions to check.
+ * @return True if extension matches the sane pattern.
+ */
+function extensionsIsSane(extension: string): boolean {
+  // The regex checks if e starts with '.' and only has letters or numbers afterwards until the end.
+  return /^\.[a-zA-Z0-9]+$/.test(extension)
+}
+
 /**
  * Get the list of file tags anywhere in the given file.
  * A file tag is defined as a continuous word without `/` or white spaces and terminated by a file ending.
@@ -328,8 +338,7 @@ export async function run(): Promise<void> {
     const ghToken = core.getInput('githubToken')
     // Sanity check
     if (ghToken === undefined) {
-      core.setFailed(`ghToken === undefined. Aborting`)
-      return
+      throw new Error(`ghToken === undefined. Aborting`)
     }
     // Split on any whitespace, ',', ';', or combination
     const splitRegex = /[\s,;]+/
@@ -343,6 +352,11 @@ export async function run(): Promise<void> {
     const docFileExtensions = (core.getInput('docFileExtensions') || 'md')
       .split(splitRegex)
       .map(s => (s.startsWith('.') ? s : `.${s}`))
+    if (!docFileExtensions.every(e => extensionsIsSane(e))) {
+      throw new Error(
+        `At least one doc extension contains something other than numbers or letters.\ndocFileExtensions: ${docFileExtensions}`
+      )
+    }
     core.info(`Doc file extensions: ${docFileExtensions}`)
     // Parse source extensions, split, and make sure they start with '.'
     const srcFileExtensions = (
@@ -350,6 +364,11 @@ export async function run(): Promise<void> {
     )
       .split(splitRegex)
       .map(s => (s.startsWith('.') ? s : `.${s}`))
+    if (!srcFileExtensions.every(e => extensionsIsSane(e))) {
+      throw new Error(
+        `At least one src extension contains something other than numbers or letters.\nsrcFileExtensions: ${srcFileExtensions}`
+      )
+    }
     core.info(`Source file extensions: ${srcFileExtensions}`)
     const docFiles = getDocFiles(dirs, docFileExtensions, recurseUserDocDirs)
     core.info(`User doc files: ${docFiles}`)