From 06ca08cbaf7dbdbbe94c271df4d565c94c8b537f Mon Sep 17 00:00:00 2001 From: George <31376482+george-gca@users.noreply.github.com> Date: Tue, 23 Apr 2024 11:29:15 -0300 Subject: [PATCH] Fixed security issue with download 3rd party plugin (#2365) Added condition to avoid security issue according to GitHub's dependabot ![image](https://github.com/alshedivat/al-folio/assets/31376482/b470a83a-5038-48be-99a6-1cbf63de57bf) --------- Signed-off-by: George Araujo --- _plugins/download-3rd-party.rb | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/_plugins/download-3rd-party.rb b/_plugins/download-3rd-party.rb index 18b7c6ca6f07..12dd9ad7467a 100644 --- a/_plugins/download-3rd-party.rb +++ b/_plugins/download-3rd-party.rb @@ -7,6 +7,11 @@ require 'uri' def download_file(url, dest) + # only try to download the file if url doesn't start with | for security reasons + if url.start_with?('|') + return + end + # create the directory if it doesn't exist dir = File.dirname(dest) unless File.directory?(dir) @@ -30,11 +35,16 @@ def download_file(url, dest) end def download_fonts(url, dest) + # only try to download the file if url doesn't start with | for security reasons + if url.start_with?('|') + return + end + # only download fonts if the directory doesn't exist or is empty unless File.directory?(dest) && !Dir.empty?(dest) puts "Downloading fonts from #{url} to #{dest}" # get available fonts from the url - doc = Nokogiri::HTML(URI().open(url, "User-Agent" => "Ruby/#{RUBY_VERSION}")) + doc = Nokogiri::HTML(URI.open(url, "User-Agent" => "Ruby/#{RUBY_VERSION}")) doc.css('a').each do |link| # get the file name from the url file_name = link['href'].split('/').last.split('?').first @@ -49,6 +59,11 @@ def download_fonts(url, dest) end def download_fonts_from_css(config, url, dest) + # only try to download the file if url doesn't start with | for security reasons + if url.start_with?('|') + return + end + # get the file name from the url file_name = url.split('/').last.split('?').first