`lastIndexOf` in `sourcemap-register.js` causes Github to flag `Incorrect suffix check`

[yogurtearl]

I think this sourcemap-register.js file is an output of this module: https://raw.githubusercontent.com/gradle/gradle-build-action/aeb3e0fcd750be80d74f07ee94363abdf2b51020/dist/post/sourcemap-register.js

which contains this:

var n=0;while(r.indexOf(e+"/")!==0){var t=e.lastIndexOf("/");
if(t<0){return r}e=e.slice(0,t);if(e.match(/^([^\/]+:\/)?\/*$/)){return r}++n}return Array(n+1).join("../")+r.substr(e.length+1)}r.relative=relative;var o=function(){var e=Object.create(null);return!("__proto__"in e)}();function identity(e){return e}function toSetString(e){if(isProtoString(e)){return"$"+e}return e}r.toSetString=o?identity:toSetString;function fromSetString(e){if(isProtoString(e)){return e.slice(1)}return e}r.fromSetString=o?identity:fromSetString;function isProtoString(e){if(!e){return false}var r=e.length;if(r<9){return false}if(e.charCodeAt(r-1)!==95||e.charCodeAt(r-2)!==95||e.charCodeAt(r-3)!==111||e.charCodeAt(r-4)!==116||e.charCodeAt(r-5)!==111||e.charCodeAt(r-6)!==114||e.charCodeAt(r-7)!==112||e.charCodeAt(r-8)!==95||e.charCodeAt(r-9)!==95){return false}for(var n=r-10;n>=0;n--){if(e.charCodeAt(n)!==36){return false}}return true}function compareByOriginalPositions(e,r,n){var t=strcmp(e.source,r.source);if(t!==0){return t}t=e.originalLine-r.originalLine;if(t!==0){return t}t=e.originalColumn-r.originalColumn;if(t!==0||n){return t}t=e.generatedColumn-r.generatedColumn;if(t!==0){return t}t=e.generatedLine-r.generatedLine;if(t!==0){return t}return strcmp(e.name,r.name)}r.compareByOriginalPositions=compareByOriginalPositions;function compareByGeneratedPositionsDeflated(e,r,n){var t=e.generatedLine-r.generatedLine;if(t!==0){return t}t=e.generatedColumn-r.generatedColumn;if(t!==0||n){return t}t=strcmp(e.source,r.source);if(t!==0){return t}t=e.originalLine-r.originalLine;if(t!==0){return t}t=e.originalColumn-r.originalColumn;if(t!==0){return t}return strcmp(e.name,r.name)}r.compareByGeneratedPositionsDeflated=compareByGeneratedPositionsDeflated;function strcmp(e,r){if(e===r){return 0}if(e===null){return 1}if(r===null){return-1}if(e>r){return 1}return-1}function compareByGeneratedPositionsInflated(e,r){var n=e.generatedLine-r.generatedLine;if(n!==0){return n}n=e.generatedColumn-r.generatedColumn;if(n!==0){return n}n=strcmp(e.source,r.source);if(n!==0){return n}n=e.originalLine-r.originalLine;if(n!==0){return n}n=e.originalColumn-r.originalColumn;if(n!==0){return n}return strcmp(e.name,r.name)}r.compareByGeneratedPositionsInflated=compareByGeneratedPositionsInflated;function parseSourceMapInput(e){return JSON.parse(e.replace(/^\)]}'[^\n]*\n/,""))}r.parseSourceMapInput=parseSourceMapInput;function computeSourceURL(e,r,n){r=r||"";if(e){if(e[e.length-1]!=="/"&&r[0]!=="/"){e+="/"}r=e+r}if(n){var t=urlParse(n);
if(!t){throw new Error("sourceMapURL could not be parsed")}if(t.path){var o=t.path.lastIndexOf("/");

Which causes Github advanced security to issue this "high" severity error:

https://codeql.github.com/codeql-query-help/javascript/js-incorrect-suffix-check/

Would be great if you can confirm if this is related to node-source-map-support

If it is related, can you add the suggested fix here: https://codeql.github.com/codeql-query-help/javascript/js-incorrect-suffix-check/ to avoid the error from GH advanced security. :)

[LinusU]

Searching for lastIndexOf doesn't yield any matches in this repo:

https://github.com/evanw/node-source-map-support/search?q=lastIndexOf

Are you sure that the code is from this package, and could you point me to the code in question in that case? ☺️

[yogurtearl]

as far as I can tell... it was in a sourcemap-register.js file which I think was generated by node-source-map-support ?

I am not clear on where sourcemap-register.js is coming from or where the lastIndexOf in the file is coming from.

See https://github.com/gradle/gradle-build-action/commit/74a56b60ceb3acdc5f4b78fe93546ebf3a42f79c#diff-7ae45ad102eab3b6d7e7896acd08c427a9b25b346470d7bc6507b6481575d519R11

sourcemap-register.js was being generated by running this command:

ncc build src/main.ts --out dist/main --source-map && ncc build src/post.ts --out dist/post --source-map

adding --no-source-map-register got rid of the sourcemap-register.js file altogether.

[calebboyd]

The heuristic looks like it might apply to indexOf as well (though the example only mentions lastIndexOf).

It looks like it may be this block its complaining about:

https://github.com/evanw/node-source-map-support/blob/7b5b81eb14c9ee6c6537398262bf7dab8580621c/source-map-support.js#L334-L341

Copied from v8 almost 9 years ago 😅

[TheSench]

I'm seeing the same issue specifically pointed at indexOf:

This suffix check is missing a length comparison to correctly handle indexOf returning -1.

The indexOf and lastIndexOf methods are sometimes used to check if a substring occurs at a certain position in a string. However, if the returned index is compared to an expression that might evaluate to -1, the check may pass in some cases where the substring was not found at all.

The flagged code is the minified version of what @calebboyd referenced above: