From 937408f3f61ecf0ef5af8e1d82ac6435de07dc39 Mon Sep 17 00:00:00 2001 From: "mr. m" <91018726+mauro-balades@users.noreply.github.com> Date: Wed, 14 May 2025 10:14:16 +0200 Subject: [PATCH 01/22] Potential fix for code scanning alert no. 18: Overly permissive regular expression range Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: mr. m <91018726+mauro-balades@users.noreply.github.com> --- src/zen/mods/ZenThemesCommon.mjs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/zen/mods/ZenThemesCommon.mjs b/src/zen/mods/ZenThemesCommon.mjs index 82632939a..14ce3593d 100644 --- a/src/zen/mods/ZenThemesCommon.mjs +++ b/src/zen/mods/ZenThemesCommon.mjs @@ -76,7 +76,7 @@ var ZenThemesCommon = { for (let [entry, label] of Object.entries(preferences)) { const [_, negation = '', os = '', property] = - /(!?)(?:(macos|windows|linux):)?([A-z0-9-_.]+)/g.exec(entry); + /(!?)(?:(macos|windows|linux):)?([A-Za-z0-9-_.]+)/g.exec(entry); const isNegation = negation === '!'; if ( From 6732a69c2beff448d85060b84fc97173185b7293 Mon Sep 17 00:00:00 2001 From: "mr. m" <91018726+mauro-balades@users.noreply.github.com> Date: Wed, 14 May 2025 10:16:36 +0200 Subject: [PATCH 02/22] Potential fix for code scanning alert no. 19: Overly permissive regular expression range Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: mr. m <91018726+mauro-balades@users.noreply.github.com> --- src/zen/mods/ZenThemesImporter.mjs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/zen/mods/ZenThemesImporter.mjs b/src/zen/mods/ZenThemesImporter.mjs index 65bd00888..2b97602d7 100644 --- a/src/zen/mods/ZenThemesImporter.mjs +++ b/src/zen/mods/ZenThemesImporter.mjs @@ -249,7 +249,7 @@ var gZenThemesImporter = new (class { writeToDom(themesWithPreferences) { for (const browser of ZenMultiWindowFeature.browsers) { for (const { enabled, preferences, name } of themesWithPreferences) { - const sanitizedName = `theme-${name?.replaceAll(/\s/g, '-')?.replaceAll(/[^A-z_-]+/g, '')}`; + const sanitizedName = `theme-${name?.replaceAll(/\s/g, '-')?.replaceAll(/[^A-Za-z_-]+/g, '')}`; if (enabled !== undefined && !enabled) { const element = browser.document.getElementById(sanitizedName); From 0310e89c39e6d216d47db8b2a87b3638e2fed271 Mon Sep 17 00:00:00 2001 From: "mr. m" <91018726+mauro-balades@users.noreply.github.com> Date: Wed, 14 May 2025 10:16:59 +0200 Subject: [PATCH 03/22] Potential fix for code scanning alert no. 17: Overly permissive regular expression range Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: mr. m <91018726+mauro-balades@users.noreply.github.com> --- src/browser/components/preferences/zen-settings.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/browser/components/preferences/zen-settings.js b/src/browser/components/preferences/zen-settings.js index f26ab7d19..512d2e91d 100644 --- a/src/browser/components/preferences/zen-settings.js +++ b/src/browser/components/preferences/zen-settings.js @@ -275,7 +275,7 @@ var gZenMarketplaceManager = { const themeList = document.createElement('div'); for (const theme of Object.values(themes).sort((a, b) => a.name.localeCompare(b.name))) { - const sanitizedName = `theme-${theme.name?.replaceAll(/\s/g, '-')?.replaceAll(/[^A-z_-]+/g, '')}`; + const sanitizedName = `theme-${theme.name?.replaceAll(/\s/g, '-')?.replaceAll(/[^A-Za-z_-]+/g, '')}`; const isThemeEnabled = theme.enabled === undefined || theme.enabled; const fragment = window.MozXULElement.parseXULToFragment(` From 1caa6d9aa56397405ad0969e49aca713ced9b69f Mon Sep 17 00:00:00 2001 From: "mr. m" <91018726+mauro-balades@users.noreply.github.com> Date: Wed, 14 May 2025 10:17:24 +0200 Subject: [PATCH 04/22] Potential fix for code scanning alert no. 16: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: mr. m <91018726+mauro-balades@users.noreply.github.com> --- .github/workflows/build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 22ab97059..69e3ae233 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -449,6 +449,8 @@ jobs: runs-on: ubuntu-latest needs: [windows-step-3, linux] if: always() + permissions: + contents: read steps: - name: Download aws-cli if: ${{ inputs.create_release && inputs.update_branch == 'release' }} From 828c7bea192c329f7d9f83a235877210032df404 Mon Sep 17 00:00:00 2001 From: "mr. m" <91018726+mauro-balades@users.noreply.github.com> Date: Wed, 14 May 2025 10:18:12 +0200 Subject: [PATCH 05/22] Potential fix for code scanning alert no. 15: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: mr. m <91018726+mauro-balades@users.noreply.github.com> --- .github/workflows/windows-release-build.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/windows-release-build.yml b/.github/workflows/windows-release-build.yml index 91409f8fb..747d86c51 100644 --- a/.github/workflows/windows-release-build.yml +++ b/.github/workflows/windows-release-build.yml @@ -1,5 +1,8 @@ name: Windows Release Build +permissions: + contents: read + on: workflow_call: inputs: From 81b279be5f50bb2e58f7dc8806a12b5c6e0079cc Mon Sep 17 00:00:00 2001 From: "mr. m" <91018726+mauro-balades@users.noreply.github.com> Date: Wed, 14 May 2025 10:18:13 +0200 Subject: [PATCH 06/22] Potential fix for code scanning alert no. 14: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: mr. m <91018726+mauro-balades@users.noreply.github.com> --- .github/workflows/windows-profile-build.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/windows-profile-build.yml b/.github/workflows/windows-profile-build.yml index 810c3fcb3..0a5e78d91 100644 --- a/.github/workflows/windows-profile-build.yml +++ b/.github/workflows/windows-profile-build.yml @@ -1,5 +1,8 @@ name: Windows PGO Builds +permissions: + contents: read + on: workflow_call: inputs: From 34dc835631de8445195058bee71a3eccf1bde18f Mon Sep 17 00:00:00 2001 From: "mr. m" <91018726+mauro-balades@users.noreply.github.com> Date: Wed, 14 May 2025 10:18:15 +0200 Subject: [PATCH 07/22] Potential fix for code scanning alert no. 13: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: mr. m <91018726+mauro-balades@users.noreply.github.com> --- .github/workflows/twilight-release-schedule.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/twilight-release-schedule.yml b/.github/workflows/twilight-release-schedule.yml index 96a0b8202..e3ae79731 100644 --- a/.github/workflows/twilight-release-schedule.yml +++ b/.github/workflows/twilight-release-schedule.yml @@ -27,6 +27,8 @@ jobs: name: Post Build runs-on: ubuntu-latest needs: twilight-release-schedule + permissions: + contents: read steps: - name: Checkout repository uses: actions/checkout@v4 From 77bc3ced5de0cf08603ddafeb8f1df7af694ab1a Mon Sep 17 00:00:00 2001 From: "mr. m" <91018726+mauro-balades@users.noreply.github.com> Date: Wed, 14 May 2025 10:18:25 +0200 Subject: [PATCH 08/22] Potential fix for code scanning alert no. 9: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: mr. m <91018726+mauro-balades@users.noreply.github.com> --- .github/workflows/macos-universal-release-build.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/macos-universal-release-build.yml b/.github/workflows/macos-universal-release-build.yml index 0f91da33f..6141c668f 100644 --- a/.github/workflows/macos-universal-release-build.yml +++ b/.github/workflows/macos-universal-release-build.yml @@ -1,5 +1,11 @@ name: macOS Release Build +permissions: + contents: read + actions: read + packages: read + id-token: write + on: workflow_call: inputs: From fc908f9d4a0b67b91d68183deb6a30711e6ea28f Mon Sep 17 00:00:00 2001 From: "mr. m" <91018726+mauro-balades@users.noreply.github.com> Date: Wed, 14 May 2025 10:18:30 +0200 Subject: [PATCH 09/22] Potential fix for code scanning alert no. 5: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: mr. m <91018726+mauro-balades@users.noreply.github.com> --- .github/workflows/issue-metrics.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/issue-metrics.yml b/.github/workflows/issue-metrics.yml index a2b067b5b..1444c53a1 100644 --- a/.github/workflows/issue-metrics.yml +++ b/.github/workflows/issue-metrics.yml @@ -1,4 +1,7 @@ name: Monthly issue metrics +permissions: + contents: write + issues: read on: workflow_dispatch: schedule: From 4b14c1e2f8030eea316c86204559dda4397137ef Mon Sep 17 00:00:00 2001 From: "mr. m" <91018726+mauro-balades@users.noreply.github.com> Date: Wed, 14 May 2025 10:18:35 +0200 Subject: [PATCH 10/22] Potential fix for code scanning alert no. 2: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: mr. m <91018726+mauro-balades@users.noreply.github.com> --- .github/workflows/code-linter.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/code-linter.yml b/.github/workflows/code-linter.yml index 5b88766fe..dd7e1c633 100644 --- a/.github/workflows/code-linter.yml +++ b/.github/workflows/code-linter.yml @@ -10,6 +10,9 @@ on: branches: - dev +permissions: + contents: read + jobs: lint: runs-on: ubuntu-latest From 67a52ae02c1c9a460cea013f18b54f1c2c5c91f3 Mon Sep 17 00:00:00 2001 From: "mr. m" <91018726+mauro-balades@users.noreply.github.com> Date: Wed, 14 May 2025 10:18:37 +0200 Subject: [PATCH 11/22] Potential fix for code scanning alert no. 1: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: mr. m <91018726+mauro-balades@users.noreply.github.com> --- .github/workflows/check-candidate-release.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/check-candidate-release.yml b/.github/workflows/check-candidate-release.yml index 4b7c2a981..57e8c0384 100644 --- a/.github/workflows/check-candidate-release.yml +++ b/.github/workflows/check-candidate-release.yml @@ -5,6 +5,9 @@ on: - cron: '59 4 * * 2' workflow_dispatch: +permissions: + contents: read + jobs: check_candidates: runs-on: ubuntu-latest From d19a484cb0a290148aab6f46115cc99a87ccad90 Mon Sep 17 00:00:00 2001 From: "mr. m" <91018726+mauro-balades@users.noreply.github.com> Date: Wed, 14 May 2025 10:19:55 +0200 Subject: [PATCH 12/22] Potential fix for code scanning alert no. 12: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: mr. m <91018726+mauro-balades@users.noreply.github.com> --- .github/workflows/pr-test.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/pr-test.yml b/.github/workflows/pr-test.yml index 2d18f0dcc..9dd93d598 100644 --- a/.github/workflows/pr-test.yml +++ b/.github/workflows/pr-test.yml @@ -1,4 +1,6 @@ name: Pull request test +permissions: + contents: read on: pull_request: From 07296f19a6c637d4453fb2bbf8b8cf4cc232c34a Mon Sep 17 00:00:00 2001 From: "mr. m" <91018726+mauro-balades@users.noreply.github.com> Date: Wed, 14 May 2025 10:26:23 +0200 Subject: [PATCH 13/22] Potential fix for code scanning alert no. 11: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: mr. m <91018726+mauro-balades@users.noreply.github.com> --- .github/workflows/build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 69e3ae233..9fa749a19 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -199,6 +199,8 @@ jobs: name: Lint check-release: + permissions: + contents: read runs-on: ubuntu-latest needs: [build-data, lint] steps: From 744618ac25c0517d7ce6869844347994f844785f Mon Sep 17 00:00:00 2001 From: "mr. m" <91018726+mauro-balades@users.noreply.github.com> Date: Wed, 14 May 2025 10:26:26 +0200 Subject: [PATCH 14/22] Potential fix for code scanning alert no. 8: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: mr. m <91018726+mauro-balades@users.noreply.github.com> --- .github/workflows/macos-release-build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/macos-release-build.yml b/.github/workflows/macos-release-build.yml index 28f2c1878..e566641d9 100644 --- a/.github/workflows/macos-release-build.yml +++ b/.github/workflows/macos-release-build.yml @@ -1,4 +1,6 @@ name: macOS Release Build +permissions: + contents: read on: workflow_call: From 4ad29e0ca52dc7e30c46f7dc4873079c0e40075a Mon Sep 17 00:00:00 2001 From: "mr. m" <91018726+mauro-balades@users.noreply.github.com> Date: Wed, 14 May 2025 10:28:57 +0200 Subject: [PATCH 15/22] Potential fix for code scanning alert no. 20: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: mr. m <91018726+mauro-balades@users.noreply.github.com> --- .github/workflows/build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9fa749a19..0ba082d0c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -194,6 +194,8 @@ jobs: commit_user_email: zen-browser-auto@users.noreply.github.com lint: + permissions: + contents: read uses: ./.github/workflows/code-linter.yml needs: [build-data] name: Lint From 8451a71af7d1e6cd88debe307ea82e0ca782b314 Mon Sep 17 00:00:00 2001 From: "mr. m" <91018726+mauro-balades@users.noreply.github.com> Date: Wed, 14 May 2025 10:31:08 +0200 Subject: [PATCH 16/22] Potential fix for code scanning alert no. 6: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: mr. m <91018726+mauro-balades@users.noreply.github.com> --- .github/workflows/build.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0ba082d0c..a8ec6a474 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,5 +1,8 @@ name: Zen Release builds +permissions: + contents: read + on: workflow_dispatch: inputs: @@ -77,6 +80,9 @@ jobs: echo "bid=${bdat}" >> $GITHUB_OUTPUT start-self-host: + permissions: + contents: read + secrets: read runs-on: ubuntu-latest needs: debug-inputs steps: @@ -102,6 +108,8 @@ jobs: rm start.sh || true check-build-is-correct: + permissions: + contents: read runs-on: ubuntu-latest needs: [debug-inputs] steps: From a2b1b38e0cc49a23d1e73686a640d17b6dbd7f1a Mon Sep 17 00:00:00 2001 From: "mr. m" <91018726+mauro-balades@users.noreply.github.com> Date: Wed, 14 May 2025 10:37:24 +0200 Subject: [PATCH 17/22] Revert "Potential fix for code scanning alert no. 13: Workflow does not contain permissions" --- .github/workflows/twilight-release-schedule.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/twilight-release-schedule.yml b/.github/workflows/twilight-release-schedule.yml index e3ae79731..96a0b8202 100644 --- a/.github/workflows/twilight-release-schedule.yml +++ b/.github/workflows/twilight-release-schedule.yml @@ -27,8 +27,6 @@ jobs: name: Post Build runs-on: ubuntu-latest needs: twilight-release-schedule - permissions: - contents: read steps: - name: Checkout repository uses: actions/checkout@v4 From f594a0b5c0cdbeb6cd30ea045a8e2b8690340295 Mon Sep 17 00:00:00 2001 From: "mr. m" <91018726+mauro-balades@users.noreply.github.com> Date: Wed, 14 May 2025 10:39:27 +0200 Subject: [PATCH 18/22] Revert "Potential fix for code scanning alert no. 6: Workflow does not contain permissions" --- .github/workflows/build.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a8ec6a474..0ba082d0c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,8 +1,5 @@ name: Zen Release builds -permissions: - contents: read - on: workflow_dispatch: inputs: @@ -80,9 +77,6 @@ jobs: echo "bid=${bdat}" >> $GITHUB_OUTPUT start-self-host: - permissions: - contents: read - secrets: read runs-on: ubuntu-latest needs: debug-inputs steps: @@ -108,8 +102,6 @@ jobs: rm start.sh || true check-build-is-correct: - permissions: - contents: read runs-on: ubuntu-latest needs: [debug-inputs] steps: From 531f569f3a4df77d57def1c10944e860da121780 Mon Sep 17 00:00:00 2001 From: "mr. m" <91018726+mauro-balades@users.noreply.github.com> Date: Wed, 14 May 2025 10:41:06 +0200 Subject: [PATCH 19/22] Revert "Potential fix for code scanning alert no. 11: Workflow does not contain permissions" --- .github/workflows/build.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0ba082d0c..642f5f5a7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -201,8 +201,6 @@ jobs: name: Lint check-release: - permissions: - contents: read runs-on: ubuntu-latest needs: [build-data, lint] steps: From 5880636b3a668a65790d98ed067b971429a7b6a4 Mon Sep 17 00:00:00 2001 From: "mr. m" <91018726+mauro-balades@users.noreply.github.com> Date: Wed, 14 May 2025 10:41:11 +0200 Subject: [PATCH 20/22] Revert "Potential fix for code scanning alert no. 20: Workflow does not contain permissions" --- .github/workflows/build.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0ba082d0c..9fa749a19 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -194,8 +194,6 @@ jobs: commit_user_email: zen-browser-auto@users.noreply.github.com lint: - permissions: - contents: read uses: ./.github/workflows/code-linter.yml needs: [build-data] name: Lint From 40baf2627ce9d110ede34fc6cb055f4c3f6d2d47 Mon Sep 17 00:00:00 2001 From: "mr. m" <91018726+mauro-balades@users.noreply.github.com> Date: Wed, 14 May 2025 10:41:14 +0200 Subject: [PATCH 21/22] Revert "Potential fix for code scanning alert no. 16: Workflow does not contain permissions" --- .github/workflows/build.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0ba082d0c..402fc55d9 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -453,8 +453,6 @@ jobs: runs-on: ubuntu-latest needs: [windows-step-3, linux] if: always() - permissions: - contents: read steps: - name: Download aws-cli if: ${{ inputs.create_release && inputs.update_branch == 'release' }} From b8254fdd365de36f075cb4983a03b6c2cc285a25 Mon Sep 17 00:00:00 2001 From: "mr. m" <91018726+mauro-balades@users.noreply.github.com> Date: Wed, 14 May 2025 10:42:46 +0200 Subject: [PATCH 22/22] Revert "Potential fix for code scanning alert no. 9: Workflow does not contain permissions" --- .github/workflows/macos-universal-release-build.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/workflows/macos-universal-release-build.yml b/.github/workflows/macos-universal-release-build.yml index 6141c668f..0f91da33f 100644 --- a/.github/workflows/macos-universal-release-build.yml +++ b/.github/workflows/macos-universal-release-build.yml @@ -1,11 +1,5 @@ name: macOS Release Build -permissions: - contents: read - actions: read - packages: read - id-token: write - on: workflow_call: inputs: