Skip to content

show stats for specific organizations or repositories #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 29 commits into
base: master
Choose a base branch
from
Draft

show stats for specific organizations or repositories #1

wants to merge 29 commits into from

Conversation

martin-mfg
Copy link
Owner

martin-mfg added 29 commits May 18, 2025 21:53
@martin-mfg
add repo filter
f91b400
@martin-mfg
support multiple orgs and repos
0b2c71a
@martin-mfg
fix code and style
5ffac3b
@martin-mfg
add items and options to repo card, validate input, orgs->owners
bfe9ed2
@martin-mfg
fixes, style
6fe3bbb
@martin-mfg
add '-' to safe characters
972d3ce
@martin-mfg
add ',' to safe characters
29fbc1c
@martin-mfg
fix translations
c4d7c3e
@martin-mfg
fix number_format
b6a17b0
@martin-mfg
fix css
213ba17
@martin-mfg
fix css: textcolor
4ce98f8
@martin-mfg
repo card: show_icons and other style issues
8e1b09d
@martin-mfg
repo card: fix y translation of new items
74a4682
@martin-mfg
repo card: lowercase labels, fix extra height
954607c
@martin-mfg
repo card: adjust label offset
5cf5a75
@martin-mfg
repo card: adjust icon X position
0b43c8b
@martin-mfg
repo card: custom card_width
f3bb62b
@martin-mfg
repo card: fixes for custom card_width
0491506
@martin-mfg
repo card: fix v2 for custom card_width
a0e588c
@martin-mfg
repo card: 2 column layout
33c0895
@martin-mfg
fix bug, types and style
1ab6311
@martin-mfg
repo card: provide owner as part of repo param
aaa7a40
@martin-mfg
repo card: fix error with uriEncoding
8415848
@martin-mfg
repo card: fix repo and owner filter again
2b521dd
@martin-mfg
accept 0 as valid item count
ec6e555
@martin-mfg
code style
21c4fbb
@martin-mfg
update readme with new features
327568e
@martin-mfg
allow repos param without owner, improve readme, improve bold formatting
80b78a4
@martin-mfg
code style
7eb15c3
github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 29, 2025
View reviewed changes
api/index.js
Comment on lines +77 to +87
renderError(
"Something went wrong",
"Username, repository or owner contains unsafe characters",
{
title_color,
text_color,
bg_color,
border_color,
theme,
},
),

Check failure

Code scanning / CodeQL

Reflected cross-site scripting High

Cross-site scripting vulnerability due to a
user-provided value
Loading
.
Cross-site scripting vulnerability due to a
user-provided value
Loading
.
Cross-site scripting vulnerability due to a
user-provided value
Loading
.
Cross-site scripting vulnerability due to a
user-provided value
Loading
.

Copilot Autofix

AI 17 days ago

To fix the issue, we need to sanitize or encode the user-provided values before embedding them into the SVG markup. The best approach is to use an HTML encoding function to ensure that any special characters in the user input are safely escaped. This prevents malicious scripts from being executed in the browser.

The encodeHTML function already exists in src/common/utils.js and can be used for this purpose. We will apply this function to all user-provided values (title_color, text_color, bg_color, border_color, etc.) before they are used in the renderError function.

Suggested changeset 1
src/common/utils.js
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/common/utils.js b/src/common/utils.js
--- a/src/common/utils.js
+++ b/src/common/utils.js
@@ -381,8 +381,13 @@
   // returns theme based colors with proper overrides and defaults
-  const { titleColor, textColor, bgColor, borderColor } = getCardColors({
-    title_color,
-    text_color,
+  const { 
+    titleColor, 
+    textColor, 
+    bgColor, 
+    borderColor 
+  } = getCardColors({
+    title_color: encodeHTML(title_color),
+    text_color: encodeHTML(text_color),
     icon_color: "",
-    bg_color,
-    border_color,
+    bg_color: encodeHTML(bg_color),
+    border_color: encodeHTML(border_color),
     ring_color: "",
EOF
@@ -381,8 +381,13 @@
// returns theme based colors with proper overrides and defaults
const { titleColor, textColor, bgColor, borderColor } = getCardColors({
title_color,
text_color,
const {
titleColor,
textColor,
bgColor,
borderColor
} = getCardColors({
title_color: encodeHTML(title_color),
text_color: encodeHTML(text_color),
icon_color: "",
bg_color,
border_color,
bg_color: encodeHTML(bg_color),
border_color: encodeHTML(border_color),
ring_color: "",
Copilot is powered by AI and may make mistakes. Always verify output.
api/index.js
Comment on lines +131 to +161
renderStatsCard(
stats,
{
hide: parseArray(hide),
show_icons: parseBoolean(show_icons),
hide_title: parseBoolean(hide_title),
hide_border: parseBoolean(hide_border),
card_width: parseInt(card_width, 10),
hide_rank: parseBoolean(hide_rank),
include_all_commits: parseBoolean(include_all_commits),
line_height,
title_color,
ring_color,
icon_color,
text_color,
text_bold: parseBoolean(text_bold),
bg_color,
theme,
custom_title,
border_radius,
border_color,
number_format,
locale: locale ? locale.toLowerCase() : null,
disable_animations: parseBoolean(disable_animations),
rank_icon,
show: showStats,
},
username,
repositories,
organizations,
),

Check failure

Code scanning / CodeQL

Reflected cross-site scripting High

Cross-site scripting vulnerability due to a
user-provided value
Loading
.
Cross-site scripting vulnerability due to a
user-provided value
Loading
.
Cross-site scripting vulnerability due to a
user-provided value
Loading
.
Cross-site scripting vulnerability due to a
user-provided value
Loading
.
Cross-site scripting vulnerability due to a
user-provided value
Loading
.
Cross-site scripting vulnerability due to a
user-provided value
Loading
.

Copilot Autofix

AI 17 days ago

To fix the issue, we need to sanitize or encode the user-provided input before incorporating it into the SVG response. The best approach is to use a library like escape-html to ensure that any potentially malicious characters in the input are properly escaped. This will prevent the execution of injected scripts or other malicious content.

Steps to fix:

  1. Import the escape-html library in api/index.js.
  2. Apply escape-html to all user-provided inputs that are passed to renderStatsCard, including title_color, ring_color, icon_color, text_color, bg_color, border_color, and other relevant parameters.
  3. Ensure that all inputs are sanitized before being used in the SVG response.
Suggested changeset 2
api/index.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/api/index.js b/api/index.js
--- a/api/index.js
+++ b/api/index.js
@@ -1,2 +1,3 @@
 import { renderStatsCard } from "../src/cards/stats-card.js";
+import escapeHtml from "escape-html";
 import { blacklist } from "../src/common/blacklist.js";
@@ -141,16 +142,16 @@
           line_height,
-          title_color,
-          ring_color,
-          icon_color,
-          text_color,
+          title_color: escapeHtml(title_color),
+          ring_color: escapeHtml(ring_color),
+          icon_color: escapeHtml(icon_color),
+          text_color: escapeHtml(text_color),
           text_bold: parseBoolean(text_bold),
-          bg_color,
-          theme,
-          custom_title,
-          border_radius,
-          border_color,
-          number_format,
-          locale: locale ? locale.toLowerCase() : null,
+          bg_color: escapeHtml(bg_color),
+          theme: escapeHtml(theme),
+          custom_title: escapeHtml(custom_title),
+          border_radius: escapeHtml(border_radius),
+          border_color: escapeHtml(border_color),
+          number_format: escapeHtml(number_format),
+          locale: locale ? escapeHtml(locale.toLowerCase()) : null,
           disable_animations: parseBoolean(disable_animations),
-          rank_icon,
+          rank_icon: escapeHtml(rank_icon),
           show: showStats,
EOF
@@ -1,2 +1,3 @@
import { renderStatsCard } from "../src/cards/stats-card.js";
import escapeHtml from "escape-html";
import { blacklist } from "../src/common/blacklist.js";
@@ -141,16 +142,16 @@
line_height,
title_color,
ring_color,
icon_color,
text_color,
title_color: escapeHtml(title_color),
ring_color: escapeHtml(ring_color),
icon_color: escapeHtml(icon_color),
text_color: escapeHtml(text_color),
text_bold: parseBoolean(text_bold),
bg_color,
theme,
custom_title,
border_radius,
border_color,
number_format,
locale: locale ? locale.toLowerCase() : null,
bg_color: escapeHtml(bg_color),
theme: escapeHtml(theme),
custom_title: escapeHtml(custom_title),
border_radius: escapeHtml(border_radius),
border_color: escapeHtml(border_color),
number_format: escapeHtml(number_format),
locale: locale ? escapeHtml(locale.toLowerCase()) : null,
disable_animations: parseBoolean(disable_animations),
rank_icon,
rank_icon: escapeHtml(rank_icon),
show: showStats,
package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/package.json b/package.json
--- a/package.json
+++ b/package.json
@@ -68,3 +68,4 @@
     "upgrade": "^1.1.0",
-    "word-wrap": "^1.2.5"
+    "word-wrap": "^1.2.5",
+    "escape-html": "^1.0.3"
   },
EOF
@@ -68,3 +68,4 @@
"upgrade": "^1.1.0",
"word-wrap": "^1.2.5"
"word-wrap": "^1.2.5",
"escape-html": "^1.0.3"
},
This fix introduces these dependencies
Package Version Security advisories
escape-html (npm) 1.0.3 None
Copilot is powered by AI and may make mistakes. Always verify output.
api/pin.js
Comment on lines +69 to +79
renderError(
"Something went wrong",
"Username or repository contains unsafe characters",
{
title_color,
text_color,
bg_color,
border_color,
theme,
},
),

Check failure

Code scanning / CodeQL

Reflected cross-site scripting High

Cross-site scripting vulnerability due to a
user-provided value
Loading
.
Cross-site scripting vulnerability due to a
user-provided value
Loading
.
Cross-site scripting vulnerability due to a
user-provided value
Loading
.
Cross-site scripting vulnerability due to a
user-provided value
Loading
.
src/fetchers/repo-fetcher.js
include_issues_commented = false,
) => {
let owner = username;
if (reponame && reponame.includes("/")) {

Check failure

Code scanning / CodeQL

Type confusion through parameter tampering Critical

Potential type confusion as
this HTTP request parameter
Loading
may be either an array or a string.

Copilot Autofix

AI 17 days ago

To fix the issue, the type of the repo parameter should be explicitly checked to ensure it is a string before performing any operations on it. This can be done by adding a type check (typeof repo === 'string') in api/pin.js before passing repo to fetchRepo. Additionally, similar type checks should be added in src/fetchers/repo-fetcher.js to ensure reponame is a string before performing operations like includes and split.

Suggested changeset 2
src/fetchers/repo-fetcher.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/fetchers/repo-fetcher.js b/src/fetchers/repo-fetcher.js
--- a/src/fetchers/repo-fetcher.js
+++ b/src/fetchers/repo-fetcher.js
@@ -82,3 +82,3 @@
   let owner = username;
-  if (reponame && reponame.includes("/")) {
+  if (reponame && typeof reponame === 'string' && reponame.includes("/")) {
     const [parsed_owner, parsed_repo] = reponame.split("/");
EOF
@@ -82,3 +82,3 @@
let owner = username;
if (reponame && reponame.includes("/")) {
if (reponame && typeof reponame === 'string' && reponame.includes("/")) {
const [parsed_owner, parsed_repo] = reponame.split("/");
api/pin.js
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/api/pin.js b/api/pin.js
--- a/api/pin.js
+++ b/api/pin.js
@@ -65,3 +65,3 @@
     (username && !safePattern.test(username)) ||
-    (repo && !safePattern.test(repo))
+    (repo && (typeof repo !== 'string' || !safePattern.test(repo)))
   ) {
EOF
@@ -65,3 +65,3 @@
(username && !safePattern.test(username)) ||
(repo && !safePattern.test(repo))
(repo && (typeof repo !== 'string' || !safePattern.test(repo)))
) {
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@martin-mfg