Fixed security issue with download 3rd party plugin (#2365)

Added condition to avoid security issue according to GitHub's dependabot ![image](https://github.com/alshedivat/al-folio/assets/31376482/b470a83a-5038-48be-99a6-1cbf63de57bf) --------- Signed-off-by: George Araujo <george.gcac@gmail.com>
2024-04-23 11:29:15 -03:00 · 2024-04-23 11:29:15 -03:00 · 06ca08cbaf
parent b315315f9b
commit 06ca08cbaf
1 changed files with 16 additions and 1 deletions
--- a/_plugins/download-3rd-party.rb
+++ b/_plugins/download-3rd-party.rb
@ -7,6 +7,11 @@ Jekyll::Hooks.register :site, :after_init do |site|
  require 'uri'

  def download_file(url, dest)
+    # only try to download the file if url doesn't start with | for security reasons
+    if url.start_with?('|')
+      return
+    end
+
    # create the directory if it doesn't exist
    dir = File.dirname(dest)
    unless File.directory?(dir)
@ -30,11 +35,16 @@ Jekyll::Hooks.register :site, :after_init do |site|
  end

  def download_fonts(url, dest)
+    # only try to download the file if url doesn't start with | for security reasons
+    if url.start_with?('|')
+      return
+    end
+
    # only download fonts if the directory doesn't exist or is empty
    unless File.directory?(dest) && !Dir.empty?(dest)
      puts "Downloading fonts from #{url} to #{dest}"
      # get available fonts from the url
-      doc = Nokogiri::HTML(URI().open(url, "User-Agent" => "Ruby/#{RUBY_VERSION}"))
+      doc = Nokogiri::HTML(URI.open(url, "User-Agent" => "Ruby/#{RUBY_VERSION}"))
      doc.css('a').each do |link|
        # get the file name from the url
        file_name = link['href'].split('/').last.split('?').first
@ -49,6 +59,11 @@ Jekyll::Hooks.register :site, :after_init do |site|
  end

  def download_fonts_from_css(config, url, dest)
+    # only try to download the file if url doesn't start with | for security reasons
+    if url.start_with?('|')
+      return
+    end
+
    # get the file name from the url
    file_name = url.split('/').last.split('?').first