chore(release): 3.2.7 #161
Conversation
Bumps the npm_and_yarn group with 1 update in the / directory: [axios](https://github.com/axios/axios). Updates `axios` from 1.8.2 to 1.12.0 - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v1.8.2...v1.12.0) --- updated-dependencies: - dependency-name: axios dependency-version: 1.12.0 dependency-type: direct:development dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3 to 4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@v3...v4) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 5 to 6. - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@v5...v6) --- updated-dependencies: - dependency-name: actions/setup-node dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Fixed an issue, where input for code editor extensions was incorrectly displayed within the toggle value of "use default extensions" feature. Closes #158
…s/setup-node-6 build(deps): bump actions/setup-node from 5 to 6
…/codeql-action-4 build(deps): bump github/codeql-action from 3 to 4
…yarn-16c0b19af7 build(deps-dev): bump axios from 1.8.2 to 1.12.0 in the npm_and_yarn group across 1 directory
1) update "obsidian" package; 2) update "obsidian-typings" package;
Delete deprecated parts of project for more clean build output.
1) create debounce function for future inputs 2) create obsidian theme getter function 3) declare required types 4) create deep read/write functions for nested settings
1) use bundler as module resolution param; 2) delete root path and implement main;
1) now using data variants for light/dark theme adaptations; 2) create special styles for new settings and adapt, fix them for correct work;
1) add CSS styling support for input components; 2) update and correct icons for tabs and settings;
1) implement new dynamic method for loading settings tab; 2) deep read/write now works with original array, not copy; 3) create new type definition for settings tab factory;
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Remove it from IUnitadeTabBuilder and make correspondive file-modulae.
Moved grouped extensions parser to specified settings-modulae path. Make it faster, more compact and fail-safe.
| cursor = cursor[p]; | ||
| } | ||
| if (!Object.prototype.hasOwnProperty.call(cursor, parts[parts.length - 1]) || typeof cursor[parts[parts.length - 1]] !== 'object') | ||
| cursor[parts[parts.length - 1]] = value; |
Check warning
Code scanning / CodeQL
Prototype-polluting function Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 days ago
In general, a safe deep-assignment function that receives untrusted paths must either (a) block dangerous property names such as __proto__, constructor, and prototype, or (b) ensure that it never operates on objects that could end up in any prototype chain. Since we cannot change how setDeep is used, the robust fix is to add explicit checks that prevent traversing or creating these dangerous properties anywhere along the path.
The best targeted fix here is: when iterating parts in setDeep, skip or reject any segment that equals "__proto__", "constructor", or "prototype". If such a key is encountered either in the loop (for intermediates) or for the final segment, we should stop and return obj without creating or modifying anything. This preserves all existing behavior for legitimate keys while preventing pollution. Concretely:
- After computing
parts = path.split('.'), we can either (1) scanpartsonce and early-return if any forbidden key is present, or (2) check each segment just before using it (pinside the loop andparts[parts.length - 1]for the final write). To keep the change minimal and localized, we can add a small helperisUnsafeKeyin this file and use it where keys are read. - All changes occur in
source/settings/utils/functions/deep.ts, only inside the shown code. No behavior changes for safe keys; dangerous keys now causesetDeepto do nothing.
| @@ -3,17 +3,33 @@ | ||
| return path.split('.').reduce((o, k) => (o == null ? undefined : o[k]), obj); | ||
| } | ||
|
|
||
| function isUnsafeKey(key: string): boolean { | ||
| return key === '__proto__' || key === 'constructor' || key === 'prototype'; | ||
| } | ||
|
|
||
| export function setDeep<T = any>(obj: T, path: string, value: any): T { | ||
| const parts = path.split('.'); | ||
| let cursor = obj as any; | ||
| for (let i = 0; i < parts.length - 1; i++) { | ||
| const p = parts[i]; | ||
| if (!Object.prototype.hasOwnProperty.call(cursor, p) || typeof cursor[p] !== 'object') | ||
| if (isUnsafeKey(p)) { | ||
| return obj; | ||
| } | ||
| if (!Object.prototype.hasOwnProperty.call(cursor, p) || typeof cursor[p] !== 'object') { | ||
| cursor[p] = Object.create(null); | ||
| } | ||
| cursor = cursor[p]; | ||
| } | ||
| if (!Object.prototype.hasOwnProperty.call(cursor, parts[parts.length - 1]) || typeof cursor[parts[parts.length - 1]] !== 'object') | ||
| cursor[parts[parts.length - 1]] = value; | ||
| const lastKey = parts[parts.length - 1]; | ||
| if (isUnsafeKey(lastKey)) { | ||
| return obj; | ||
| } | ||
| if ( | ||
| !Object.prototype.hasOwnProperty.call(cursor, lastKey) || | ||
| typeof cursor[lastKey] !== 'object' | ||
| ) { | ||
| cursor[lastKey] = value; | ||
| } | ||
|
|
||
| return obj; | ||
| } |
Allows to search for function signature in given type
Advanced settings page: 1) add ignore titles (masks, extensions); 2) add grouped title; 3) add forced extensions title;
Use "create" for intermediate objects to avoid inheriting from prototype.
| // eslint-disable-next-line no-undef | ||
| const cli = parseCliArgs(process.argv) ?? {}; | ||
| const rawFilter = opts.filter ?? cli["worker-filter"] ?? DEFAULT_FILTER; | ||
| const filter = typeof rawFilter === "string" ? new RegExp(rawFilter) : rawFilter; |
Check failure
Code scanning / CodeQL
Regular expression injection High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 20 hours ago
In general, to fix regex injection from command-line or other untrusted input, avoid passing the raw string directly to new RegExp and either (a) escape regex metacharacters so the string is treated as a literal, or (b) strictly validate or whitelist permitted patterns. In this case, the most conservative and backwards-compatible approach is: keep accepting RegExp objects from opts.filter (for intentional complex patterns), but treat the CLI string --worker-filter as a literal substring to match in filenames, escaping regex metacharacters before constructing the RegExp.
Concretely for build/plugin-workers.mjs, we should change the logic on lines 21–23 so that:
- We distinguish whether the filter originates from
opts.filteror from the CLI. - If it is a string from the CLI, we escape regex metacharacters before constructing the
RegExp. - If it is already a
RegExp, or a string passed viaopts.filter(which is programmatic and presumably trusted), we keep the existing behavior.
Since we are allowed to add well-known dependencies, we can import escapeRegExp from lodash (or lodash.escaperegexp), but that’s not strictly required; we can also implement a simple escape function locally. To minimize changes and dependencies, we can define a small escapeRegExp helper in this file and use it only for CLI-derived string filters, leaving the rest of the functionality intact.
Steps:
- In
build/plugin-workers.mjs, add a localescapeRegExpfunction near the top of the file. - Replace the
rawFilter/filterconstruction so that:- It first prefers
opts.filter(which may be aRegExpor string). - If no
opts.filteris given andcli["worker-filter"]is present:- If it’s a string, escape it and build
new RegExp(escapedString).
- If it’s a string, escape it and build
- Otherwise fall back to
DEFAULT_FILTER.
- It first prefers
- Ensure that at the end we always have
filteras aRegExp(as before) so downstream code does not change behavior except for treating CLI strings as literals.
| @@ -8,6 +8,18 @@ | ||
| */ | ||
|
|
||
| /** | ||
| * Escape special characters in a string so it can be used safely inside a RegExp | ||
| * as a literal pattern. | ||
| * | ||
| * This follows the common pattern used by libraries like lodash's _.escapeRegExp. | ||
| * @param {string} str | ||
| * @returns {string} | ||
| */ | ||
| function escapeRegExp(str) { | ||
| return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&"); | ||
| } | ||
|
|
||
| /** | ||
| * Worker loader plugin factory. | ||
| * Accepts options and CLI override `--worker-filter`. | ||
| * @param {MonacoWorkersOptions} [opts={}] | ||
| @@ -19,9 +31,21 @@ | ||
| setup(build) { | ||
| // eslint-disable-next-line no-undef | ||
| const cli = parseCliArgs(process.argv) ?? {}; | ||
| const rawFilter = opts.filter ?? cli["worker-filter"] ?? DEFAULT_FILTER; | ||
| const filter = typeof rawFilter === "string" ? new RegExp(rawFilter) : rawFilter; | ||
|
|
||
| let filter = DEFAULT_FILTER; | ||
|
|
||
| if (opts.filter instanceof RegExp) { | ||
| // Programmatic RegExp filter is assumed to be trusted | ||
| filter = opts.filter; | ||
| } else if (typeof opts.filter === "string") { | ||
| // Programmatic string filter: preserve existing behavior | ||
| filter = new RegExp(opts.filter); | ||
| } else if (typeof cli["worker-filter"] === "string") { | ||
| // CLI string filter: treat as a literal pattern and escape meta-characters | ||
| const safeCliFilter = escapeRegExp(cli["worker-filter"]); | ||
| filter = new RegExp(safeCliFilter); | ||
| } | ||
|
|
||
| build.onResolve({ filter }, (args) => ({ path: args.path, namespace: "worker" })); | ||
|
|
||
| build.onLoad({ filter: /.*/, namespace: "worker" }, async (args) => ({ |
| contents: `export default function WorkerWrapper(options){ return new Worker(new URL(${JSON.stringify( | ||
| args.path | ||
| )}, import.meta.url), options); }`, |
Check warning
Code scanning / CodeQL
Improper code sanitization Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 20 hours ago
In general, when constructing JavaScript source code that embeds stringified data, you should apply an additional escaping step to the JSON.stringify result to neutralize characters that can break out of <script> tags or otherwise alter the surrounding JavaScript/HTML context. This is particularly important for <, >, /, backslashes, control characters, and Unicode line/paragraph separators.
The single best fix here is to introduce a small helper function within build/plugin-workers.mjs that escapes unsafe characters in a string (following the pattern from the background example) and then wrap the existing JSON.stringify(args.path) call with this helper. This preserves existing functionality—the generated JavaScript still uses new URL(<string>, import.meta.url)—while ensuring that any unexpected characters in args.path cannot produce malformed or unsafe generated code.
Concretely:
- Add a
const charMapandfunction escapeUnsafeChars(str)near the top ofbuild/plugin-workers.mjs(after the imports or after the JSDoc typedef, anywhere before use). - Change line 28 so that it reads
escapeUnsafeChars(JSON.stringify(args.path))instead of justJSON.stringify(args.path). - No new external imports are needed; the helper uses only built-in JavaScript features.
| @@ -7,7 +7,32 @@ | ||
| * @property {RegExp|string} [filter] - Match worker module filenames (RegExp or string pattern) | ||
| */ | ||
|
|
||
| const charMap = { | ||
| '<': '\\u003C', | ||
| '>': '\\u003E', | ||
| '/': '\\u002F', | ||
| '\\': '\\\\', | ||
| '\b': '\\b', | ||
| '\f': '\\f', | ||
| '\n': '\\n', | ||
| '\r': '\\r', | ||
| '\t': '\\t', | ||
| '\0': '\\0', | ||
| '\u2028': '\\u2028', | ||
| '\u2029': '\\u2029' | ||
| }; | ||
|
|
||
| /** | ||
| * Escape potentially unsafe characters in a string that will be embedded | ||
| * into generated JavaScript source code. | ||
| * @param {string} str | ||
| * @returns {string} | ||
| */ | ||
| function escapeUnsafeChars(str) { | ||
| return str.replace(/[<>\b\f\n\r\t\0\u2028\u2029]/g, (x) => charMap[x] || x); | ||
| } | ||
|
|
||
| /** | ||
| * Worker loader plugin factory. | ||
| * Accepts options and CLI override `--worker-filter`. | ||
| * @param {MonacoWorkersOptions} [opts={}] | ||
| @@ -25,9 +49,9 @@ | ||
| build.onResolve({ filter }, (args) => ({ path: args.path, namespace: "worker" })); | ||
|
|
||
| build.onLoad({ filter: /.*/, namespace: "worker" }, async (args) => ({ | ||
| contents: `export default function WorkerWrapper(options){ return new Worker(new URL(${JSON.stringify( | ||
| contents: `export default function WorkerWrapper(options){ return new Worker(new URL(${escapeUnsafeChars(JSON.stringify( | ||
| args.path | ||
| )}, import.meta.url), options); }`, | ||
| ))}, import.meta.url), options); }`, | ||
| loader: "js", | ||
| })); | ||
|
|
PRs: update OBSIDIAN API, add "forced" modes and fix settings
Before writing anything about your changes in this PR, checklist this items:
By agreeding and following this project's documentation, you are reminded that your's commit and styling of changes must follow this project's documentation, in case of “de-followization”, there are two ways before you make sure to publishing your PR:
For amending old commit, see the stackoverflow question1, more about changing commits in official docs for github:
https://docs.github.com/en/pull-requests/committing-changes-to-your-project/creating-and-editing-commits/changing-a-commit-message/
Changes with that PR
Please, write below every changes you made:
Process of testing for that PR
answer (y/n): (n);
...
Additional context for that PR
Closes #160
Closes #159
Closes #158
Footnotes
https://stackoverflow.com/questions/17338792/amending-old-commit/ ↩