Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Don't try to show enterprise avatars #8175

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
alexr00 merged 1 commit into from
Nov 20, 2025
Merged

Don't try to show enterprise avatars #8175

alexr00 merged 1 commit into from
Nov 20, 2025

Conversation

@alexr00
Copy link
Member

@alexr00 alexr00 commented Nov 20, 2025

Fixes #8152

@alexr00 alexr00 enabled auto-merge (squash) November 20, 2025 11:31
@alexr00 alexr00 self-assigned this Nov 20, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 20, 2025
View reviewed changes
webviews/components/user.tsx
const InnerAvatar = ({ for: author }: { for: Partial<IAccount> }) => (
<>
{author.avatarUrl ? (
{author.avatarUrl && author.avatarUrl.includes('githubusercontent.com') ? (

Check failure

Code scanning / CodeQL

Incomplete URL substring sanitization High

'
githubusercontent.com
Loading
' can be anywhere in the URL, and arbitrary hosts may come before or after it.

Copilot Autofix

AI about 1 month ago

To fix the issue, the code must reliably verify that the image avatar URL is actually hosted on a trusted domain (githubusercontent.com). Instead of performing a substring check on the entire URL (which could match on path/query, not just the host), we should parse the URL and compare its host property. The best approach is to use the built-in URL constructor (safe in recent browsers and Node.js) to extract the host/domain, and then explicitly check for exact matches or valid subdomains.

Modify line 12 in webviews/components/user.tsx:

  • Parse author.avatarUrl using the URL constructor.
  • Check if the hostname is exactly githubusercontent.com or ends with .githubusercontent.com (to allow subdomains, if intended).
  • Only show the avatar image if this stricter check passes.

No external dependencies are needed.

Suggested changeset 1
webviews/components/user.tsx

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/webviews/components/user.tsx b/webviews/components/user.tsx
--- a/webviews/components/user.tsx
+++ b/webviews/components/user.tsx
@@ -9,7 +9,20 @@
 
 const InnerAvatar = ({ for: author }: { for: Partial<IAccount> }) => (
 	<>
-		{author.avatarUrl && author.avatarUrl.includes('githubusercontent.com') ? (
+		{author.avatarUrl && (() => {
+			try {
+				const host = new URL(author.avatarUrl).hostname;
+				// Only allow githubusercontent.com or its subdomains
+				if (host === 'githubusercontent.com' || host.endsWith('.githubusercontent.com')) {
+					return (
+						<img className="avatar" src={author.avatarUrl} alt="" role="presentation" aria-hidden="true"/>
+					);
+				}
+			} catch {
+				// Malformed URL: fallback to icon
+			}
+			return null;
+		})() ? (
 			<img className="avatar" src={author.avatarUrl} alt="" role="presentation" aria-hidden="true"/>
 		) : (
 			<Icon className="avatar-icon" src={require('../../resources/icons/dark/github.svg')} />
EOF
  • Copy modified lines R12-R25
@@ -9,7 +9,20 @@

const InnerAvatar = ({ for: author }: { for: Partial<IAccount> }) => (
<>
{author.avatarUrl && author.avatarUrl.includes('githubusercontent.com') ? (
{author.avatarUrl && (() => {
try {
const host = new URL(author.avatarUrl).hostname;
// Only allow githubusercontent.com or its subdomains
if (host === 'githubusercontent.com' || host.endsWith('.githubusercontent.com')) {
return (
<img className="avatar" src={author.avatarUrl} alt="" role="presentation" aria-hidden="true"/>
);
}
} catch {
// Malformed URL: fallback to icon
}
return null;
})() ? (
<img className="avatar" src={author.avatarUrl} alt="" role="presentation" aria-hidden="true"/>
) : (
<Icon className="avatar-icon" src={require('../../resources/icons/dark/github.svg')} />
Copilot is powered by AI and may make mistakes. Always verify output.
@vs-code-engineering vs-code-engineering bot added this to the November 2025 milestone Nov 20, 2025
@alexr00 alexr00 merged commit 44310d9 into main Nov 20, 2025
5 of 6 checks passed
@alexr00 alexr00 deleted the alexr00/loose-coyote branch November 20, 2025 11:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bpasero bpasero bpasero approved these changes

Assignees

@alexr00 alexr00

Labels

None yet

Projects

None yet

Milestone

November 2025

Development

Successfully merging this pull request may close these issues.

Avatar does not show in PR details page

3 participants

@alexr00 @bpasero
Morty Proxy This is a proxified and sanitized view of the page, visit original site.