fix: address remaining CodeQL alerts (#332)

2026-04-04 17:58:35 +05:30
parent cdc92d16e4
commit a0bdab24c0
4 changed files with 134 additions and 1 deletions
--- a/vscode-extension/openclaude-vscode/src/state.js
+++ b/vscode-extension/openclaude-vscode/src/state.js
@@ -109,6 +109,19 @@ function isLocalBaseUrl(baseUrl) {
  }
 }

+function getHostname(baseUrl) {
+  const normalized = asNonEmptyString(baseUrl);
+  if (!normalized) {
+    return null;
+  }
+
+  try {
+    return new URL(normalized).hostname.toLowerCase();
+  } catch {
+    return null;
+  }
+}
+
 function resolveCommandCheckPath(command, workspacePath) {
  const normalized = asNonEmptyString(command);
  if (!normalized) {
@@ -241,6 +254,7 @@ function hasCodexAlias(model) {
 function getOpenAICompatibleLabel(baseUrl, model) {
  const normalizedBaseUrl = (asNonEmptyString(baseUrl) || '').toLowerCase();
  const normalizedModel = (asNonEmptyString(model) || '').toLowerCase();
+  const hostname = getHostname(baseUrl);

  if (hasCodexBaseUrl(baseUrl) || (!baseUrl && hasCodexAlias(model))) {
    return 'Codex';
@@ -278,7 +292,7 @@ function getOpenAICompatibleLabel(baseUrl, model) {
    return 'Azure OpenAI';
  }

-  if (normalizedBaseUrl.includes('api.openai.com') || !normalizedBaseUrl) {
+  if (hostname === 'api.openai.com' || !normalizedBaseUrl) {
    return 'OpenAI';
  }

--- a/vscode-extension/openclaude-vscode/src/state.test.js
+++ b/vscode-extension/openclaude-vscode/src/state.test.js
@@ -158,6 +158,44 @@ test('describeProviderState reports LM Studio from openai profile base url', ()
  );
 });

+test('describeProviderState does not treat substring-matched OpenAI hosts as OpenAI', () => {
+  assert.deepEqual(
+    describeProviderState({
+      shimEnabled: false,
+      env: {
+        CLAUDE_CODE_USE_OPENAI: '1',
+        OPENAI_BASE_URL: 'https://evil.example/path/api.openai.com/v1',
+        OPENAI_MODEL: 'gpt-4o',
+      },
+      profile: null,
+    }),
+    {
+      label: 'OpenAI-compatible',
+      detail: 'gpt-4o',
+      source: 'env',
+    },
+  );
+});
+
+test('describeProviderState reports OpenAI when the parsed host is api.openai.com', () => {
+  assert.deepEqual(
+    describeProviderState({
+      shimEnabled: false,
+      env: {
+        CLAUDE_CODE_USE_OPENAI: '1',
+        OPENAI_BASE_URL: 'https://api.openai.com/v1',
+        OPENAI_MODEL: 'gpt-4o',
+      },
+      profile: null,
+    }),
+    {
+      label: 'OpenAI',
+      detail: 'gpt-4o',
+      source: 'env',
+    },
+  );
+});
+
 test('describeProviderState reports environment-backed provider details', () => {
  assert.deepEqual(
    describeProviderState({