Fix remaining GitHub CodeQL security alerts

- py/stack-trace-exposure: Remove str(e) and traceback.format_exc() from all HTTP responses across api_v3.py, pages_v3.py, and app.py; replace with generic messages and logger.error(exc_info=True) - py/reflective-xss: Escape partial_name via markupsafe.escape in the load_partial 404 response - py/path-injection: Add regex validation of plugin_id before filesystem use in _load_plugin_config_partial - py/incomplete-url-substring-sanitization: Replace 'github.com' in substring checks with urlparse hostname comparison in store_manager.py - py/clear-text-logging-sensitive-data: Remove football-scoreboard debug prints and sensitive request-body prints from update endpoint - js/bad-tag-filter: Replace script-only regex in BaseWidget.sanitizeValue with DOM-based textContent stripping that removes all HTML - js/incomplete-sanitization: Fix escapeAttr to properly encode &, ", ', <, > using HTML entities instead of backslash escaping - js/prototype-pollution-utility: Add __proto__/constructor/prototype key guards to deepMerge function in plugins_manager.js - app.py error handlers: Always return generic messages; remove debug-mode branches that could expose tracebacks in production Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-26 05:53:33 +00:00 · 2026-05-23 19:01:06 -04:00
parent 8652aacf37
commit 1d2303e620
6 changed files with 222 additions and 235 deletions
--- a/src/plugin_system/store_manager.py
+++ b/src/plugin_system/store_manager.py
@@ -21,6 +21,8 @@ from pathlib import Path
 from typing import List, Dict, Optional, Any, Tuple
 import logging

+from urllib.parse import urlparse
+
 from src.common.permission_utils import sudo_remove_directory

 try:
@@ -356,7 +358,8 @@ class PluginStoreManager:
        # Extract owner/repo from URL
        try:
            # Handle different URL formats
-            if 'github.com' in repo_url:
+            _parsed_url = urlparse(repo_url)
+            if _parsed_url.hostname in ('github.com', 'www.github.com'):
                parts = repo_url.strip('/').split('/')
                if len(parts) >= 2:
                    owner = parts[-2]
@@ -518,9 +521,10 @@ class PluginStoreManager:
            # Try to find plugins.json in common locations
            # First try root directory
            registry_urls = []
-            
+
            # Extract owner/repo from URL
-            if 'github.com' in repo_url:
+            _parsed_repo_url = urlparse(repo_url)
+            if _parsed_repo_url.hostname in ('github.com', 'www.github.com'):
                parts = repo_url.split('/')
                if len(parts) >= 2:
                    owner = parts[-2]
@@ -775,7 +779,8 @@ class PluginStoreManager:
        try:
            # Convert repo URL to raw content URL
            # https://github.com/user/repo -> https://raw.githubusercontent.com/user/repo/branch/manifest.json
-            if 'github.com' in repo_url:
+            _parsed_manifest_url = urlparse(repo_url)
+            if _parsed_manifest_url.hostname in ('github.com', 'www.github.com'):
                # Handle different URL formats
                repo_url = repo_url.rstrip('/')
                if repo_url.endswith('.git'):