1 年之前 · f70fabb863
--- a/build/importTypescript.ts
+++ b/build/importTypescript.ts
@@ -37,6 +37,11 @@ export const typescriptVersion = "${typeScriptDependencyVersion}";\n`
 
				 
			
 
				 	let tsServices = fs.readFileSync(path.join(TYPESCRIPT_LIB_SOURCE, 'typescript.js')).toString();
			
 
				 
			
 
				+	tsServices = tsServices.replace(
			
 
				+		'const path = matchedStar ? subst.replace("*", matchedStar) : subst;',
			
 
				+		'const path = matchedStar ? subst.replace("*", matchedStar) : subst; // CodeQL [SM02383] This is a false positive, the code is from the TypeScript compiler'
			
 
				+	);
			
 
				+
			
 
				 	// The output from this build will only be accessible via ESM; rather than removing
			
 
				 	// references to require/module, define them as dummy variables that bundlers will ignore.
			
 
				 	// The TS code can figure out that it's not running under Node even with these defined.
			
--- a/src/language/typescript/lib/typescriptServices.js
+++ b/src/language/typescript/lib/typescriptServices.js
@@ -40937,7 +40937,7 @@ ${lanes.join("\n")}
 
				         trace(state.host, Diagnostics.Module_name_0_matched_pattern_1, moduleName, matchedPatternText);
			
 
				       }
			
 
				       const resolved = forEach(paths[matchedPatternText], (subst) => {
			
 
				-        const path = matchedStar ? subst.replace("*", matchedStar) : subst;
			
 
				+        const path = matchedStar ? subst.replace("*", matchedStar) : subst; // CodeQL [SM02383] This is a false positive, the code is from the TypeScript compiler
			
 
				         const candidate = normalizePath(combinePaths(baseDirectory, path));
			
 
				         if (state.traceEnabled) {
			
 
				           trace(state.host, Diagnostics.Trying_substitution_0_candidate_module_location_Colon_1, subst, path);
			
--- a/test/manual/dev-setup.js
+++ b/test/manual/dev-setup.js
@@ -39,7 +39,7 @@
 
				 			'<ul><li>' +
			
 
				 			renderLoadingOptions(true) +
			
 
				 			(isRelease ? '' : `</li><li>${renderLoadingOptions(false)}`) +
			
 
				-			'</li></ul>';
			
 
				+			'</li></ul>'; // CodeQL [SM03712] This code is not deployed and serves as local test code. No risk of malicious input.
			
 
				 
			
 
				 		document.body.appendChild(div);
			
 
				 
			
@@ -47,7 +47,7 @@
 
				 		for (let i = 0; i < aElements.length; i++) {
			
 
				 			let aElement = aElements[i];
			
 
				 			if (aElement.className === 'loading-opts') {
			
 
				-				aElement.href += window.location.search;
			
 
				+				aElement.href += window.location.search; // CodeQL [SM01507] This code is not deployed and serves as local test code. No risk of malicious input.
			
 
				 			}
			
 
				 		}
			
 
				 	})();
			
--- a/website/src/monaco-loader.ts
+++ b/website/src/monaco-loader.ts
@@ -84,7 +84,7 @@ function loadScript(path: string): Promise<void> {
 
				 		script.onload = () => res();
			
 
				 		script.async = true;
			
 
				 		script.type = "text/javascript";
			
 
				-		script.src = path;
			
 
				+		script.src = path; // CodeQL [SM01507] This is safe because the runner (that allows for dynamic paths) runs in an isolated iframe. The hosting website uses a static path configuration. // CodeQL [SM03712] This is safe because the runner (that allows for dynamic paths) runs in an isolated iframe. The hosting website uses a static path configuration.
			
 
				 		document.head.appendChild(script);
			
 
				 	});
			
 
				 }
			
--- a/website/src/runner/index.ts
+++ b/website/src/runner/index.ts
@@ -21,7 +21,7 @@ window.addEventListener("message", (event) => {
 
				 		const style = document.getElementById(
			
 
				 			"custom-style"
			
 
				 		) as HTMLStyleElement;
			
 
				-		style.innerHTML = e.css;
			
 
				+		style.innerHTML = e.css; // CodeQL [SM03712] This is safe because the runner runs in an isolated iframe.
			
 
				 	}
			
 
				 });
			
 
				 
			
@@ -54,7 +54,7 @@ async function initialize(state: IPreviewState) {
 
				 	const js = massageJs(state.js);
			
 
				 
			
 
				 	try {
			
 
				-		eval(js);
			
 
				+		eval(js); // CodeQL [SM01632] This is safe because the runner runs in an isolated iframe. This feature is essential to the functionality of the playground. // CodeQL [SM02688] This is safe because the runner runs in an isolated iframe. This feature is essential to the functionality of the playground.
			
 
				 	} catch (err) {
			
 
				 		const pre = document.createElement("pre");
			
 
				 		pre.appendChild(
			
--- a/website/static/monarch/monarch.js
+++ b/website/static/monarch/monarch.js
@@ -58,7 +58,7 @@ function createLangModel(languageId, text) {
 
				 	var update = function () {
			
 
				 		var def = null;
			
 
				 		try {
			
 
				-			def = eval("(function(){ " + langModel.getValue() + "; })()");
			
 
				+			def = eval("(function(){ " + langModel.getValue() + "; })()"); // CodeQL [SM01632] langModel.getValue() is a default value with volatile user modifications. This is an essential functionality for the monarch playground and safe, as no injection is possible.
			
 
				 		} catch (err) {
			
 
				 			setInnerText(outputPane, err + "\n");
			
 
				 			return;