@dytsou/github-readme-stats 1.0.1

package/src/fetchers/top-languages.js

@@ -0,0 +1,192 @@
+// @ts-check
+
+import { retryer } from "../common/retryer.js";
+import { logger } from "../common/log.js";
+import { excludeRepositories } from "../common/envs.js";
+import { CustomError, MissingParamError } from "../common/error.js";
+import { wrapTextMultiline } from "../common/fmt.js";
+import { request } from "../common/http.js";
+
+/**
+ * Top languages fetcher object.
+ *
+ * @param {any} variables Fetcher variables.
+ * @param {string} token GitHub token.
+ * @returns {Promise<import("axios").AxiosResponse>} Languages fetcher response.
+ */
+const fetcher = (variables, token) => {
+  return request(
+    {
+      query: `
+      query userInfo($login: String!) {
+        user(login: $login) {
+          # fetch only owner repos & not forks
+          repositories(ownerAffiliations: OWNER, isFork: false, first: 100) {
+            nodes {
+              name
+              languages(first: 10, orderBy: {field: SIZE, direction: DESC}) {
+                edges {
+                  size
+                  node {
+                    color
+                    name
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+      `,
+      variables,
+    },
+    {
+      Authorization: `token ${token}`,
+    },
+  );
+};
+
+/**
+ * @typedef {import("./types").TopLangData} TopLangData Top languages data.
+ */
+
+/**
+ * Fetch top languages for a given username.
+ *
+ * @param {string} username GitHub username.
+ * @param {string[]} exclude_repo List of repositories to exclude.
+ * @param {number} size_weight Weightage to be given to size.
+ * @param {number} count_weight Weightage to be given to count.
+ * @returns {Promise<TopLangData>} Top languages data.
+ */
+const fetchTopLanguages = async (
+  username,
+  exclude_repo = [],
+  size_weight = 1,
+  count_weight = 0,
+) => {
+  if (!username) {
+    throw new MissingParamError(["username"]);
+  }
+
+  const res = await retryer(fetcher, { login: username });
+
+  // Check if response has expected structure
+  if (!res || !res.data) {
+    logger.error("Invalid response structure:", res);
+    throw new CustomError(
+      "Invalid response from GitHub API.",
+      CustomError.GRAPHQL_ERROR,
+    );
+  }
+
+  if (res.data.errors) {
+    logger.error(res.data.errors);
+    if (res.data.errors[0].type === "NOT_FOUND") {
+      throw new CustomError(
+        res.data.errors[0].message || "Could not fetch user.",
+        CustomError.USER_NOT_FOUND,
+      );
+    }
+    if (res.data.errors[0].message) {
+      throw new CustomError(
+        wrapTextMultiline(res.data.errors[0].message, 90, 1)[0],
+        res.statusText,
+      );
+    }
+    throw new CustomError(
+      "Something went wrong while trying to retrieve the language data using the GraphQL API.",
+      CustomError.GRAPHQL_ERROR,
+    );
+  }
+
+  // Check if user data exists
+  if (!res.data.data || !res.data.data.user) {
+    logger.error("Missing user data in response:", res.data);
+    throw new CustomError(
+      "Could not fetch user data from GitHub API. The user might not exist or the API token might be invalid.",
+      CustomError.USER_NOT_FOUND,
+    );
+  }
+
+  // Check if repositories data exists
+  if (
+    !res.data.data.user.repositories ||
+    !res.data.data.user.repositories.nodes
+  ) {
+    logger.error("Missing repositories data in response:", res.data.data.user);
+    throw new CustomError(
+      "Could not fetch repositories data from GitHub API.",
+      CustomError.GRAPHQL_ERROR,
+    );
+  }
+
+  let repoNodes = res.data.data.user.repositories.nodes;
+  /** @type {Record<string, boolean>} */
+  let repoToHide = {};
+  const allExcludedRepos = [...exclude_repo, ...excludeRepositories];
+
+  // populate repoToHide map for quick lookup
+  // while filtering out
+  if (allExcludedRepos) {
+    allExcludedRepos.forEach((repoName) => {
+      repoToHide[repoName] = true;
+    });
+  }
+
+  // filter out repositories to be hidden
+  repoNodes = repoNodes
+    .sort((a, b) => b.size - a.size)
+    .filter((name) => !repoToHide[name.name]);
+
+  let repoCount = 0;
+
+  repoNodes = repoNodes
+    .filter((node) => node.languages.edges.length > 0)
+    // flatten the list of language nodes
+    .reduce((acc, curr) => curr.languages.edges.concat(acc), [])
+    .reduce((acc, prev) => {
+      // get the size of the language (bytes)
+      let langSize = prev.size;
+
+      // if we already have the language in the accumulator
+      // & the current language name is same as previous name
+      // add the size to the language size and increase repoCount.
+      if (acc[prev.node.name] && prev.node.name === acc[prev.node.name].name) {
+        langSize = prev.size + acc[prev.node.name].size;
+        repoCount += 1;
+      } else {
+        // reset repoCount to 1
+        // language must exist in at least one repo to be detected
+        repoCount = 1;
+      }
+      return {
+        ...acc,
+        [prev.node.name]: {
+          name: prev.node.name,
+          color: prev.node.color,
+          size: langSize,
+          count: repoCount,
+        },
+      };
+    }, {});
+
+  Object.keys(repoNodes).forEach((name) => {
+    // comparison index calculation
+    repoNodes[name].size =
+      Math.pow(repoNodes[name].size, size_weight) *
+      Math.pow(repoNodes[name].count, count_weight);
+  });
+
+  const topLangs = Object.keys(repoNodes)
+    .sort((a, b) => repoNodes[b].size - repoNodes[a].size)
+    .reduce((result, key) => {
+      result[key] = repoNodes[key];
+      return result;
+    }, {});
+
+  return topLangs;
+};
+
+export { fetchTopLanguages };
+export default fetchTopLanguages;

package/src/fetchers/types.d.ts

@@ -0,0 +1,118 @@
+export type GistData = {
+  name: string;
+  nameWithOwner: string;
+  description: string | null;
+  language: string | null;
+  starsCount: number;
+  forksCount: number;
+};
+
+export type RepositoryData = {
+  name: string;
+  nameWithOwner: string;
+  isPrivate: boolean;
+  isArchived: boolean;
+  isTemplate: boolean;
+  stargazers: { totalCount: number };
+  description: string;
+  primaryLanguage: {
+    color: string;
+    id: string;
+    name: string;
+  };
+  forkCount: number;
+  starCount: number;
+};
+
+export type StatsData = {
+  name: string;
+  totalPRs: number;
+  totalPRsMerged: number;
+  mergedPRsPercentage: number;
+  totalReviews: number;
+  totalCommits: number;
+  totalIssues: number;
+  totalStars: number;
+  totalDiscussionsStarted: number;
+  totalDiscussionsAnswered: number;
+  contributedTo: number;
+  rank: { level: string; percentile: number };
+};
+
+export type Lang = {
+  name: string;
+  color: string;
+  size: number;
+};
+
+export type TopLangData = Record<string, Lang>;
+
+export type WakaTimeData = {
+  categories: {
+    digital: string;
+    hours: number;
+    minutes: number;
+    name: string;
+    percent: number;
+    text: string;
+    total_seconds: number;
+  }[];
+  daily_average: number;
+  daily_average_including_other_language: number;
+  days_including_holidays: number;
+  days_minus_holidays: number;
+  editors: {
+    digital: string;
+    hours: number;
+    minutes: number;
+    name: string;
+    percent: number;
+    text: string;
+    total_seconds: number;
+  }[];
+  holidays: number;
+  human_readable_daily_average: string;
+  human_readable_daily_average_including_other_language: string;
+  human_readable_total: string;
+  human_readable_total_including_other_language: string;
+  id: string;
+  is_already_updating: boolean;
+  is_coding_activity_visible: boolean;
+  is_including_today: boolean;
+  is_other_usage_visible: boolean;
+  is_stuck: boolean;
+  is_up_to_date: boolean;
+  languages: {
+    digital: string;
+    hours: number;
+    minutes: number;
+    name: string;
+    percent: number;
+    text: string;
+    total_seconds: number;
+  }[];
+  operating_systems: {
+    digital: string;
+    hours: number;
+    minutes: number;
+    name: string;
+    percent: number;
+    text: string;
+    total_seconds: number;
+  }[];
+  percent_calculated: number;
+  range: string;
+  status: string;
+  timeout: number;
+  total_seconds: number;
+  total_seconds_including_other_language: number;
+  user_id: string;
+  username: string;
+  writes_only: boolean;
+};
+
+export type WakaTimeLang = {
+  name: string;
+  text: string;
+  percent: number;
+};

package/src/fetchers/wakatime.js

@@ -0,0 +1,109 @@
+// @ts-check
+
+import axios from "axios";
+import { CustomError, MissingParamError } from "../common/error.js";
+
+/**
+ * Allowed WakaTime API domains whitelist.
+ * Only these domains are permitted to prevent SSRF attacks.
+ */
+const ALLOWED_WAKATIME_DOMAINS = ["wakatime.com", "api.wakatime.com"];
+
+/**
+ * Validates that the provided domain is in the allowed whitelist.
+ * Uses URL parsing to extract only the hostname, preventing SSRF attacks
+ * by stripping protocol, port, path, and other components.
+ *
+ * @param {string} domain The domain to validate.
+ * @returns {boolean} True if domain is allowed, false otherwise.
+ */
+const isValidWakatimeDomain = (domain) => {
+  if (!domain) {
+    return true; // Default to wakatime.com if not provided
+  }
+
+  // Parse as a URL and extract hostname to prevent SSRF
+  let hostname;
+  try {
+    // Remove any existing protocol and ensure we have one for parsing
+    const domainWithoutProtocol = domain.replace(/^(https?:\/\/)/i, "");
+    // Use URL constructor to parse and extract only the hostname
+    const urlObj = new URL(`https://${domainWithoutProtocol}`);
+    hostname = urlObj.hostname.toLowerCase();
+  } catch {
+    // Invalid URL format - reject
+    return false;
+  }
+
+  // Check against whitelist using only the extracted hostname
+  return ALLOWED_WAKATIME_DOMAINS.includes(hostname);
+};
+
+/**
+ * WakaTime data fetcher.
+ *
+ * @param {{username: string, api_domain: string }} props Fetcher props.
+ * @returns {Promise<import("./types").WakaTimeData>} WakaTime data response.
+ */
+const fetchWakatimeStats = async ({ username, api_domain }) => {
+  if (!username) {
+    throw new MissingParamError(["username"]);
+  }
+
+  // Validate api_domain against whitelist to prevent SSRF
+  if (api_domain && !isValidWakatimeDomain(api_domain)) {
+    throw new CustomError(
+      "Invalid API domain. Only whitelisted WakaTime domains are allowed.",
+      "WAKATIME_ERROR",
+    );
+  }
+
+  // Extract and sanitize hostname using URL parsing
+  // After validation, select domain from whitelist to prevent SSRF
+  // This ensures CodeQL recognizes that domain is not user-controlled
+  let domain = "wakatime.com"; // Default safe domain
+  if (api_domain) {
+    try {
+      // Remove any existing protocol and ensure we have one for parsing
+      const domainWithoutProtocol = api_domain.replace(/^(https?:\/\/)/i, "");
+      // Use URL constructor to extract only the hostname (validated by isValidWakatimeDomain)
+      const urlObj = new URL(`https://${domainWithoutProtocol}`);
+      const extractedHostname = urlObj.hostname.toLowerCase();
+
+      // Select domain from whitelist using explicit lookup
+      // This ensures domain can only be one of the whitelisted constants
+      if (extractedHostname === "wakatime.com") {
+        domain = "wakatime.com";
+      } else if (extractedHostname === "api.wakatime.com") {
+        domain = "api.wakatime.com";
+      }
+      // If extractedHostname doesn't match whitelist, domain remains default "wakatime.com"
+    } catch {
+      // Should not happen if validation passed, but domain already set to safe default
+    }
+  }
+
+  // URL-encode username to prevent path injection
+  const encodedUsername = encodeURIComponent(username);
+
+  // Construct URL using only whitelisted domain constants
+  // Domain is guaranteed to be from ALLOWED_WAKATIME_DOMAINS, preventing SSRF
+  const apiUrl = `https://${domain}/api/v1/users/${encodedUsername}/stats?is_including_today=true`;
+
+  try {
+    const { data } = await axios.get(apiUrl);
+
+    return data.data;
+  } catch (err) {
+    if (err.response?.status < 200 || err.response?.status > 299) {
+      throw new CustomError(
+        `Could not resolve to a User with the login of '${username}'`,
+        "WAKATIME_USER_NOT_FOUND",
+      );
+    }
+    throw err;
+  }
+};
+
+export { fetchWakatimeStats };
+export default fetchWakatimeStats;

package/src/index.js

@@ -0,0 +1,2 @@
+export * from "./common/index.js";
+export * from "./cards/index.js";