codeant-ai-for-open-source[bot] commented on PR #36495: URL: https://github.com/apache/superset/pull/36495#issuecomment-3662663573
## Nitpicks 🔍 <table> <tr><td>🔒 <strong>No security issues identified</strong></td></tr> <tr><td>⚡ <strong>Recommended areas for review</strong><br><br> - [ ] <a href='https://github.com/apache/superset/pull/36495/files#diff-18617599e08bfd1cc70646d0695483379021fb7672dec6f25106947603ac6617R72-R81'><strong>Permissive domain matching</strong></a><br>The code checks badge hosts with `parsed.hostname.includes(domain)`, which can match malicious hostnames like `img.shields.io.evil.com`. This may allow downloading badges from unintended hosts. Use exact-match or suffix checks (e.g., equals or endsWith with `.` prefix) to avoid substring collisions.<br> - [ ] <a href='https://github.com/apache/superset/pull/36495/files#diff-18617599e08bfd1cc70646d0695483379021fb7672dec6f25106947603ac6617R96-R106'><strong>Static directory path validation</strong></a><br>The plugin writes files to `staticDir` derived from `options.staticDir || path.join(docsRoot, 'static')`. If `options.staticDir` is user-supplied, validate it resolves inside the docs root to avoid writing files outside the project tree.<br> - [ ] <a href='https://github.com/apache/superset/pull/36495/files#diff-18617599e08bfd1cc70646d0695483379021fb7672dec6f25106947603ac6617R116-R125'><strong>Build-time network trust</strong></a><br>The plugin performs network requests at build time (uses `fetch`) and fails the build on download errors. Confirm the build environment always has network access and a safe `fetch` implementation (Node versions vary). Consider timeouts, retries, and an option to opt-out or mark badges optional so CI doesn't fail due to transient network issues.<br> - [ ] <a href='https://github.com/apache/superset/pull/36495/files#diff-9dbe126a5a498e56dcf30f25d7fc163f8443517db03458905d3d33303e1cdbf9R20-R26'><strong>ESM import risk</strong></a><br>The code imports an .mjs module directly from a TypeScript config. Depending on the Node/Esm/CommonJS configuration used by the Docusaurus build (ts-node, tsconfig.module, Node version, loader rules), importing a .mjs file may fail at runtime or at compile time. Verify that the build environment supports .mjs imports from a .ts config and that the plugin file's module format matches expectations.<br> - [ ] <a href='https://github.com/apache/superset/pull/36495/files#diff-18617599e08bfd1cc70646d0695483379021fb7672dec6f25106947603ac6617R165-R169'><strong>Cross-platform path handling</strong></a><br>The plugin derives a directory from `import.meta.url` using `new URL(import.meta.url).pathname`. This approach can produce URL-encoded paths and leading slashes on Windows. Use `fileURLToPath(import.meta.url)` from the `url` module to get a proper file system path across platforms.<br> </td></tr> </table> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
