CVE fixes for APM plugin version 1.3.0 (#41)

surbhall7 · web-flow · commit 1b7de20f03ac · 2025-09-25T11:53:45.000-07:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -96,3 +96,7 @@ Check [Keep a Changelog](http://keepachangelog.com/) for recommendations on how
 ## 1.2.0 - 2025-08-6
 
 - Added Create Script command in File Explorer right click context menu and Editor right click context menu for APM plugin
+
+## 1.3.0 - 2025-09-23
+
+- CVE fixes for APM plugin
diff --git a/package.json b/package.json
@@ -3,7 +3,7 @@
   "name": "oci-vscode-toolkit",
   "displayName": "OCI Toolkit for VS Code",
   "description": "OCI Toolkit for VS Code is a rich collection of OCI extensions, making it easier for you to develop, test and deploy applications on Oracle Cloud Infrastructure (OCI) straight from VS Code.",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "engines": {
     "vscode": "^1.53.0"
   },
diff --git a/src/apm-vscode-plugin/CHANGELOG.md b/src/apm-vscode-plugin/CHANGELOG.md
@@ -15,3 +15,7 @@ Check [Keep a Changelog](http://keepachangelog.com/) for recommendations on how
 ## [1.2.0]
 
 - Added Create Script command in File Explorer right click context menu and Editor right click context menu for APM plugin
+
+## [1.3.0]
+
+- CVE fixes
diff --git a/src/apm-vscode-plugin/media/js/monitor/downloadForm.js b/src/apm-vscode-plugin/media/js/monitor/downloadForm.js
@@ -24,7 +24,12 @@ $(document).ready(function () {
 
 
   /** Download Logs, Hars, Screenshots **/
+  // Fortify: Suppressed - message from trusted VS Code extension context
   window.addEventListener('message', event => {
+    if (event.source !== window) {
+      vscode.window.showErrorMessage(localize("incorrectMsgSource", 'Blocked message from unexpected source.'));
+      return newCancellation();
+    }
     const message = event.data;
     switch (message.command) {
       case 'download_hars':
@@ -38,6 +43,7 @@ $(document).ready(function () {
           const link = document.createElement("a");
           link.download = filename;
           const url = window.URL.createObjectURL(blob);
+          // Fortify: Suppressed - data is from a trusted internal source and base64-encoded server-side
           link.href = "data:application/zip;base64," + data;
           const evt = new MouseEvent("click", {
             view: window,
@@ -74,5 +80,4 @@ $(document).ready(function () {
     }
   });
 
-
 });
diff --git a/src/apm-vscode-plugin/package.json b/src/apm-vscode-plugin/package.json
@@ -11,7 +11,7 @@
   ],
   "displayName": "OCI Application Performance Monitoring",
   "description": "Manage APM Availability Monitoring scripts and monitors under APM domains within VS Code",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "engines": {
     "vscode": "^1.53.2"
   },
