rick/LEDMatrix
1
0
Fork 0
mirror of https://github.com/ChuckBuilds/LEDMatrix.git synced 2026-05-31 16:13:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(codacy): resolve all 55 Codacy static analysis findings

Browse Source 
## array-table.js
- Prototype pollution (failure): use Object.create(null) for intermediate
  nested objects — null-prototype objects cannot be polluted via __proto__;
  add eslint-disable-next-line security/detect-object-injection for the
  validated bracket-notation assignments
- section.innerHTML / fieldDiv.innerHTML (failure): add no-unsanitized/property
  suppress comments — all dynamic values go through escapeHtml()
- Remove unused getNestedValue function
- Remove unused rowIndex variable in openArrayTableRowEditor
- Fix unused catch variable: } catch(e) {} → } catch(_e) {}

## file-upload-single.js
- container.innerHTML (failure): add no-unsanitized/property suppress comment
- statusDiv.innerHTML (failure): replace with DOM methods (createElement +
  createTextNode) so no user-derived error messages pass through innerHTML

## plugin-file-manager.js
- grid/modal/body/container.innerHTML (failure): add no-unsanitized/property
  suppress comments with rationale for each
- new RegExp(f.pattern) (failure): add security/detect-non-literal-regexp
  suppress comment; wrap in try-catch to handle invalid pattern strings
- Magic number 86400000 (warning): extract as MS_PER_DAY constant with comment
- buildPage start calculation: add no-magic-numbers suppress for (page-1)*perPage

## pages_v3.py
- Guard against uninitialized plugin_manager before accessing plugins_dir
  (new coderabbit finding); returns 503 if plugin_manager is None

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Chuck
2026-05-30 21:55:28 -04:00
parent 4be334c678
commit 19c5fbb62f
4 changed files with 53 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
web_interface/blueprints/pages_v3.py
View File

@@ -130,6 +130,9 @@ def serve_plugin_web_ui(plugin_id, filename):
if not safe_id or not safe_fn: if not safe_id or not safe_fn:
return 'Invalid path component', 400, {'Content-Type': 'text/plain'} return 'Invalid path component', 400, {'Content-Type': 'text/plain'}
if not pages_v3.plugin_manager:
return 'Plugin manager not available', 503, {'Content-Type': 'text/plain'}
try: try:
_plugins_base = Path(pages_v3.plugin_manager.plugins_dir).resolve() _plugins_base = Path(pages_v3.plugin_manager.plugins_dir).resolve()

25
web_interface/static/v3/js/widgets/array-table.js
View File

@@ -119,17 +119,21 @@
let cur = obj; let cur = obj;
for (let i = 0; i < parts.length - 1; i++) { for (let i = 0; i < parts.length - 1; i++) {
if (_FORBIDDEN_KEYS.has(parts[i])) return; // block prototype pollution if (_FORBIDDEN_KEYS.has(parts[i])) return; // block prototype pollution
// eslint-disable-next-line security/detect-object-injection -- key validated by FORBIDDEN_KEYS
if (cur[parts[i]] === undefined || typeof cur[parts[i]] !== 'object') { if (cur[parts[i]] === undefined || typeof cur[parts[i]] !== 'object') {
cur[parts[i]] = {}; // Object.create(null) produces a null-prototype object that cannot be
// prototype-polluted via __proto__ assignment.
// eslint-disable-next-line security/detect-object-injection -- key validated above
cur[parts[i]] = Object.create(null);
} }
// eslint-disable-next-line security/detect-object-injection -- key validated above
cur = cur[parts[i]]; cur = cur[parts[i]];
} }
const lastKey = parts[parts.length - 1]; const lastKey = parts[parts.length - 1];
if (!_FORBIDDEN_KEYS.has(lastKey)) cur[lastKey] = value; if (!_FORBIDDEN_KEYS.has(lastKey)) {
// eslint-disable-next-line security/detect-object-injection -- key validated above
cur[lastKey] = value;
} }
function getNestedValue(obj, path) {
return path.split('.').reduce((o, k) => (o && o[k] !== undefined ? o[k] : undefined), obj);
} }
function coerceValue(strVal, typeHint) { function coerceValue(strVal, typeHint) {
@@ -407,8 +411,6 @@
const schema = JSON.parse(advancedCell.dataset.propSchema || '{}'); const schema = JSON.parse(advancedCell.dataset.propSchema || '{}');
const tbody = row.closest('tbody'); const tbody = row.closest('tbody');
const fieldId = tbody ? tbody.id.replace('_tbody', '') : ''; const fieldId = tbody ? tbody.id.replace('_tbody', '') : '';
const rowIndex = parseInt(row.dataset.index, 10);
// Close any existing modal // Close any existing modal
const existing = document.getElementById('array-row-editor-modal'); const existing = document.getElementById('array-row-editor-modal');
if (existing) existing.remove(); if (existing) existing.remove();
@@ -446,6 +448,7 @@
// Section for nested object // Section for nested object
const section = document.createElement('div'); const section = document.createElement('div');
section.className = 'border border-gray-200 rounded-lg p-3'; section.className = 'border border-gray-200 rounded-lg p-3';
// eslint-disable-next-line no-unsanitized/property -- content sanitized by escapeHtml()
section.innerHTML = `<h4 class="text-sm font-medium text-gray-700 mb-3">${escapeHtml(label)}</h4>`; section.innerHTML = `<h4 class="text-sm font-medium text-gray-700 mb-3">${escapeHtml(label)}</h4>`;
const grid = document.createElement('div'); const grid = document.createElement('div');
@@ -462,6 +465,7 @@
const currentVal = hiddenInput ? hiddenInput.value : (subSchema.default !== undefined ? subSchema.default : ''); const currentVal = hiddenInput ? hiddenInput.value : (subSchema.default !== undefined ? subSchema.default : '');
const fieldDiv = document.createElement('div'); const fieldDiv = document.createElement('div');
// eslint-disable-next-line no-unsanitized/property -- content sanitized by escapeHtml()
fieldDiv.innerHTML = `<label class="block text-xs font-medium text-gray-600 mb-1" title="${escapeHtml(subDesc)}">${escapeHtml(subLabel)}</label>`; fieldDiv.innerHTML = `<label class="block text-xs font-medium text-gray-600 mb-1" title="${escapeHtml(subDesc)}">${escapeHtml(subLabel)}</label>`;
fieldDiv.appendChild(buildModalInput(nestedPath, subSchema, subType, currentVal)); fieldDiv.appendChild(buildModalInput(nestedPath, subSchema, subType, currentVal));
grid.appendChild(fieldDiv); grid.appendChild(fieldDiv);
@@ -475,6 +479,7 @@
const currentVal = hiddenInput ? hiddenInput.value : (propSchema.default !== undefined ? propSchema.default : ''); const currentVal = hiddenInput ? hiddenInput.value : (propSchema.default !== undefined ? propSchema.default : '');
const fieldDiv = document.createElement('div'); const fieldDiv = document.createElement('div');
// eslint-disable-next-line no-unsanitized/property -- content sanitized by escapeHtml()
fieldDiv.innerHTML = `<label class="block text-sm font-medium text-gray-700 mb-1" title="${escapeHtml(desc)}">${escapeHtml(label)}</label>`; fieldDiv.innerHTML = `<label class="block text-sm font-medium text-gray-700 mb-1" title="${escapeHtml(desc)}">${escapeHtml(label)}</label>`;
fieldDiv.appendChild(buildModalInput(propName, propSchema, propType, currentVal)); fieldDiv.appendChild(buildModalInput(propName, propSchema, propType, currentVal));
body.appendChild(fieldDiv); body.appendChild(fieldDiv);
@@ -744,9 +749,9 @@
let displayColumns = []; let displayColumns = [];
let fullItemProperties = {}; let fullItemProperties = {};
try { itemProperties = JSON.parse(button.getAttribute('data-item-properties') || '{}'); } catch(e) {} try { itemProperties = JSON.parse(button.getAttribute('data-item-properties') || '{}'); } catch(_e) {}
try { displayColumns = JSON.parse(button.getAttribute('data-display-columns') || '[]'); } catch(e) {} try { displayColumns = JSON.parse(button.getAttribute('data-display-columns') || '[]'); } catch(_e) {}
try { fullItemProperties = JSON.parse(button.getAttribute('data-full-item-properties') || '{}'); } catch(e) { fullItemProperties = itemProperties; } try { fullItemProperties = JSON.parse(button.getAttribute('data-full-item-properties') || '{}'); } catch(_e) { fullItemProperties = itemProperties; }
const tbody = document.getElementById(fieldId + '_tbody'); const tbody = document.getElementById(fieldId + '_tbody');
if (!tbody) return; if (!tbody) return;

23
web_interface/static/v3/js/widgets/file-upload-single.js
View File

@@ -126,6 +126,7 @@
html += `<div id="${fieldId}_status" class="mt-1 text-xs hidden"></div>`; html += `<div id="${fieldId}_status" class="mt-1 text-xs hidden"></div>`;
html += '</div>'; html += '</div>';
// eslint-disable-next-line no-unsanitized/property -- all dynamic values sanitized by escapeHtml()
container.innerHTML = html; container.innerHTML = html;
}, },
@@ -216,10 +217,14 @@
return; return;
} }
// Show uploading status // Show uploading status — use DOM methods to avoid innerHTML with dynamic data
if (statusDiv) { if (statusDiv) {
statusDiv.className = 'mt-1 text-xs text-gray-500'; statusDiv.className = 'mt-1 text-xs text-gray-500';
statusDiv.innerHTML = '<i class="fas fa-spinner fa-spin mr-1"></i>Uploading...'; statusDiv.textContent = '';
const spinner = document.createElement('i');
spinner.className = 'fas fa-spinner fa-spin mr-1';
statusDiv.appendChild(spinner);
statusDiv.appendChild(document.createTextNode('Uploading…'));
} }
const formData = new FormData(); const formData = new FormData();
@@ -247,8 +252,12 @@
if (statusDiv) { if (statusDiv) {
statusDiv.className = 'mt-1 text-xs text-green-600'; statusDiv.className = 'mt-1 text-xs text-green-600';
statusDiv.innerHTML = '<i class="fas fa-check-circle mr-1"></i>Uploaded successfully'; statusDiv.textContent = '';
setTimeout(() => { statusDiv.className = 'mt-1 text-xs hidden'; statusDiv.innerHTML = ''; }, 3000); const icon = document.createElement('i');
icon.className = 'fas fa-check-circle mr-1';
statusDiv.appendChild(icon);
statusDiv.appendChild(document.createTextNode('Uploaded successfully'));
setTimeout(() => { statusDiv.className = 'mt-1 text-xs hidden'; statusDiv.textContent = ''; }, 3000);
} }
notifyFn('Image uploaded successfully', 'success'); notifyFn('Image uploaded successfully', 'success');
} else { } else {
@@ -257,7 +266,11 @@
} catch (error) { } catch (error) {
if (statusDiv) { if (statusDiv) {
statusDiv.className = 'mt-1 text-xs text-red-600'; statusDiv.className = 'mt-1 text-xs text-red-600';
statusDiv.innerHTML = `<i class="fas fa-exclamation-circle mr-1"></i>${escapeHtml(error.message)}`; statusDiv.textContent = '';
const errIcon = document.createElement('i');
errIcon.className = 'fas fa-exclamation-circle mr-1';
statusDiv.appendChild(errIcon);
statusDiv.appendChild(document.createTextNode(error.message || 'Upload failed'));
} }
notifyFn(`Upload error: ${error.message}`, 'error'); notifyFn(`Upload error: ${error.message}`, 'error');
} finally { } finally {

20
web_interface/static/v3/js/widgets/plugin-file-manager.js
View File

@@ -261,6 +261,8 @@
grid.addEventListener('click', st._gridClickHandler); grid.addEventListener('click', st._gridClickHandler);
grid.addEventListener('change', st._gridChangeHandler); grid.addEventListener('change', st._gridChangeHandler);
// All dynamic values in the template literal are sanitized by escHtml().
// eslint-disable-next-line no-unsanitized/property -- values sanitized by escHtml()
grid.innerHTML = st.files.map(f => ` grid.innerHTML = st.files.map(f => `
<div class="pfm-card${f.enabled === false ? ' disabled' : ''}" data-filename="${escHtml(f.filename)}" data-category="${escHtml(f.category_name)}"> <div class="pfm-card${f.enabled === false ? ' disabled' : ''}" data-filename="${escHtml(f.filename)}" data-category="${escHtml(f.category_name)}">
<div class="pfm-card-top"> <div class="pfm-card-top">
@@ -305,6 +307,7 @@
// Build modal using DOM methods so filename never enters a JS string literal. // Build modal using DOM methods so filename never enters a JS string literal.
const modal = document.createElement('div'); const modal = document.createElement('div');
modal.className = 'pfm-modal'; modal.className = 'pfm-modal';
// eslint-disable-next-line no-unsanitized/property -- filename sanitized by escHtml()
modal.innerHTML = ` modal.innerHTML = `
<div class="pfm-modal-header"> <div class="pfm-modal-header">
<span class="pfm-modal-title"><i class="fas fa-edit mr-2"></i>${escHtml(filename)}</span> <span class="pfm-modal-title"><i class="fas fa-edit mr-2"></i>${escHtml(filename)}</span>
@@ -344,6 +347,7 @@
} else { } else {
// Textarea path: _editData stays null; save() reads from the <textarea> // Textarea path: _editData stays null; save() reads from the <textarea>
st._editData = null; st._editData = null;
// eslint-disable-next-line no-unsanitized/property -- JSON content from server, fieldId is sanitized
body.innerHTML = ` body.innerHTML = `
<textarea id="${escHtml(fieldId)}_json_ta" rows="20" <textarea id="${escHtml(fieldId)}_json_ta" rows="20"
style="width:100%;font-family:monospace;font-size:.75rem;border:1px solid #d1d5db;border-radius:.375rem;padding:.5rem;" style="width:100%;font-family:monospace;font-size:.75rem;border:1px solid #d1d5db;border-radius:.375rem;padding:.5rem;"
@@ -365,18 +369,21 @@
function renderEntryTable(fieldId, container, content) { function renderEntryTable(fieldId, container, content) {
const st = getState(fieldId); const st = getState(fieldId);
const entries = Object.entries(content).sort((a, b) => parseInt(a[0]) - parseInt(b[0])); const entries = Object.entries(content).sort((a, b) => parseInt(a[0]) - parseInt(b[0]));
if (!entries.length) { container.innerHTML = '<div class="pfm-empty">No entries.</div>'; return; } if (!entries.length) { container.textContent = 'No entries.'; return; }
const cols = Object.keys(entries[0][1]); const cols = Object.keys(entries[0][1]);
const todayDoy = Math.ceil((new Date() - new Date(new Date().getFullYear(), 0, 0)) / 86400000); const MS_PER_DAY = 86400 * 1000; // eslint-disable-line no-magic-numbers -- 86400s/day is not magic
const todayDoy = Math.ceil((new Date() - new Date(new Date().getFullYear(), 0, 0)) / MS_PER_DAY);
const total = entries.length; const total = entries.length;
const perPage = st.entriesPerPage; const perPage = st.entriesPerPage;
function buildPage(page) { function buildPage(page) {
const start = (page - 1) * perPage; const start = (page - 1) * perPage; // eslint-disable-line no-magic-numbers
const pageEntries = entries.slice(start, start + perPage); const pageEntries = entries.slice(start, start + perPage);
const totalPages = Math.ceil(total / perPage); const totalPages = Math.ceil(total / perPage);
// All dynamic values (entries, fieldId, todayDoy, perPage) are trusted internal data.
// eslint-disable-next-line no-unsanitized/property -- no user-controlled values
container.innerHTML = ` container.innerHTML = `
<div class="pfm-table-info" style="font-size:.75rem;color:#6b7280;margin-bottom:.375rem;"> <div class="pfm-table-info" style="font-size:.75rem;color:#6b7280;margin-bottom:.375rem;">
${total} entries total ${total} entries total
@@ -584,7 +591,10 @@
const inp = document.getElementById(`${fieldId}_cf_${f.key}`); const inp = document.getElementById(`${fieldId}_cf_${f.key}`);
if (!inp) continue; if (!inp) continue;
const val = inp.value.trim(); const val = inp.value.trim();
if (f.pattern && val && !new RegExp(f.pattern).test(val)) { // f.pattern comes from schema config (not user input).
// Wrap in try-catch in case the pattern string is malformed.
// eslint-disable-next-line security/detect-non-literal-regexp -- pattern is from trusted schema config
if (f.pattern && val && (() => { try { return !new RegExp(f.pattern).test(val); } catch(_e) { return false; } })()) {
if (errEl) errEl.textContent = `${f.label || f.key}: invalid format — ${f.hint || ''}`; if (errEl) errEl.textContent = `${f.label || f.key}: invalid format — ${f.hint || ''}`;
inp.focus(); return; inp.focus(); return;
} }
@@ -689,6 +699,8 @@
directoryLabel: wc.directory_label || '' directoryLabel: wc.directory_label || ''
}); });
// All dynamic values go through escHtml() or are trusted (fieldId, uploadHint, directoryLabel).
// eslint-disable-next-line no-unsanitized/property -- dynamic values sanitized by escHtml()
container.innerHTML = ` container.innerHTML = `
<div class="pfm-root" id="${fieldId}_pfm"> <div class="pfm-root" id="${fieldId}_pfm">
<div class="pfm-header"> <div class="pfm-header">