From 96b076b11318d3324ff644ba8fb9d77d6b14d24f Mon Sep 17 00:00:00 2001 From: shuaiplus <2327005759@qq.com> Date: Thu, 12 Mar 2026 02:18:14 +0800 Subject: [PATCH] fix: clean up security scan warnings --- .github/workflows/security.yml | 28 +++++++++++++++++----------- src/handlers/accounts.ts | 11 ++++++++++- webapp/src/App.tsx | 3 ++- 3 files changed, 29 insertions(+), 13 deletions(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 7efea47..644582b 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -19,7 +19,7 @@ jobs: env: SECURITY_SNYK_TOKEN: ${{ secrets.SECURITY_SNYK_TOKEN }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: fetch-depth: 0 @@ -40,15 +40,21 @@ jobs: upload: true output: sarif-results - - name: Secret Detection - id: gitleaks - uses: gitleaks/gitleaks-action@dcedce43c6f43de0b836d1fe38946645c9c638dc + - name: Install Gitleaks + if: env.ACT != 'true' continue-on-error: true - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - format: sarif - report_path: results.sarif + run: | + GITLEAKS_VERSION="8.28.0" + curl -sSL -o gitleaks.tar.gz "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" + tar -xzf gitleaks.tar.gz gitleaks + chmod +x gitleaks + sudo mv gitleaks /usr/local/bin/gitleaks + + - name: Secret Detection + if: env.ACT != 'true' + continue-on-error: true + run: | + gitleaks git . --report-format sarif --report-path results.sarif --no-banner || true - name: Install Project Dependencies if: env.SECURITY_SNYK_TOKEN != '' @@ -114,7 +120,7 @@ jobs: cat security-report-cn.md >> $GITHUB_STEP_SUMMARY - name: Upload Gitleaks Results to GitHub Security - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 if: always() with: sarif_file: results.sarif @@ -122,7 +128,7 @@ jobs: - name: Upload Security Report Artifacts if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v6 with: name: security-report if-no-files-found: ignore diff --git a/src/handlers/accounts.ts b/src/handlers/accounts.ts index 7cbdf6f..0c53985 100644 --- a/src/handlers/accounts.ts +++ b/src/handlers/accounts.ts @@ -46,7 +46,16 @@ function validateKdfParams(kdfType: number | undefined, kdfIterations: number | } function normalizeTotpSecret(input: string): string { - return input.toUpperCase().replace(/[\s-]/g, '').replace(/=+$/g, ''); + const raw = String(input || '').toUpperCase(); + let out = ''; + for (const char of raw) { + if (char === ' ' || char === '\t' || char === '\n' || char === '\r' || char === '-') continue; + out += char; + } + while (out.endsWith('=')) { + out = out.slice(0, -1); + } + return out; } function normalizeRecoveryCodeInput(input: string): string { diff --git a/webapp/src/App.tsx b/webapp/src/App.tsx index d728fa0..6633848 100644 --- a/webapp/src/App.tsx +++ b/webapp/src/App.tsx @@ -1811,7 +1811,8 @@ export default function App() { const hashPathRaw = typeof window !== 'undefined' ? window.location.hash || '' : ''; const hashPath = hashPathRaw.startsWith('#') ? hashPathRaw.slice(1) : hashPathRaw; const hashPathOnly = String(hashPath || '').split('?')[0].split('#')[0]; - const normalizedHashPath = `/${hashPathOnly.replace(/^\/+/, '').replace(/\/+$/, '')}`.replace(/^\/$/, '/'); + const trimmedHashPath = hashPathOnly.replace(/^\/+/, '').replace(/\/+$/, ''); + const normalizedHashPath = trimmedHashPath ? `/${trimmedHashPath}` : '/'; const isImportHashRoute = IMPORT_ROUTE_ALIASES.has(normalizedHashPath); const effectiveLocation = hashPath.startsWith('/send/') || hashPath === '/recover-2fa' ? hashPath : location; const publicSendMatch = effectiveLocation.match(/^\/send\/([^/]+)(?:\/([^/]+))?\/?$/i);