Conversation
Added repository information to package.json. move some things around for github pages and readme Signed-off-by: Deggen <d.kellenschwiler@bsvassociation.org> 0.2.1 publishing workflow Signed-off-by: Deggen <d.kellenschwiler@bsvassociation.org> silly mistake Signed-off-by: Deggen <d.kellenschwiler@bsvassociation.org> entrypoint Signed-off-by: Deggen <d.kellenschwiler@bsvassociation.org> npm audit fix Signed-off-by: Deggen <d.kellenschwiler@bsvassociation.org> 0.2.2 workflows Signed-off-by: Deggen <d.kellenschwiler@bsvassociation.org>
Signed-off-by: Deggen <d.kellenschwiler@bsvassociation.org>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
|
||
| // Check W3C context | ||
| if (!vc['@context'] || !vc['@context'].includes(VC_CONTEXT)) { | ||
| if (vc['@context'].length === 0 || !vc['@context'].includes(VC_CONTEXT)) { |
Check failure
Code scanning / CodeQL
Incomplete URL substring sanitization High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 1 day ago
In general, instead of treating URLs as plain strings and checking for substrings, parse and examine their components or, when dealing with known constant identifiers, compare for exact equality. For the W3C VC context, the specification expects the exact context URL https://www.w3.org/2018/credentials/v1 to be present in the @context array. That means the robust fix is to ensure that at least one element is exactly equal to VC_CONTEXT, not that some element merely contains it as a substring.
Concretely, in src/modules/credentials.ts, line 288 currently uses vc['@context'].includes(VC_CONTEXT). This is an array includes, which already checks exact equality on each element, but CodeQL is flagging this because it treats VC_CONTEXT as a URL and is conservative about substring‑style checks. To make the intent explicit and resilient, we can (a) ensure @context is treated as an array, (b) search for an exact match, and (c) avoid any substring logic. The cleanest, non‑functional change is to check that some context entry equals VC_CONTEXT using Array.prototype.some with strict equality. That keeps behavior the same (exact match required) but makes it explicit and should address the sanitizer warning.
No new imports or helper methods are required. Only the condition around the context check needs to be updated in verify, and we should add a small guard in case vc['@context'] isn’t an array, without altering existing logic for valid cases.
| @@ -285,7 +285,11 @@ | ||
| const errors: string[] = [] | ||
|
|
||
| // Check W3C context | ||
| if (vc['@context'].length === 0 || !vc['@context'].includes(VC_CONTEXT)) { | ||
| if ( | ||
| !Array.isArray(vc['@context']) || | ||
| vc['@context'].length === 0 || | ||
| !vc['@context'].some((ctx: string) => ctx === VC_CONTEXT) | ||
| ) { | ||
| errors.push('Missing W3C VC context') | ||
| } | ||
|
|
Signed-off-by: Deggen <d.kellenschwiler@bsvassociation.org>
…ke replit / runjs Signed-off-by: Deggen <d.kellenschwiler@bsvassociation.org>
Signed-off-by: Deggen <d.kellenschwiler@bsvassociation.org>
Signed-off-by: Deggen <d.kellenschwiler@bsvassociation.org>
1 participant
No description provided.