fixes #100168

extensions/extension-editing/src/extensionLinter.ts

@@ -16,6 +16,11 @@ import { languages, workspace, Disposable, TextDocument, Uri, Diagnostic, Range,
 
 const product = JSON.parse(fs.readFileSync(path.join(env.appRoot, 'product.json'), { encoding: 'utf-8' }));
 const allowedBadgeProviders: string[] = (product.extensionAllowedBadgeProviders || []).map((s: string) => s.toLowerCase());
+const allowedBadgeProvidersRegex: RegExp[] = (product.extensionAllowedBadgeProvidersRegex || []).map((r: string) => new RegExp(r));
+
+function isTrustedSVGSource(uri: Uri): boolean {
+	return allowedBadgeProviders.includes(uri.authority.toLowerCase()) || allowedBadgeProvidersRegex.some(r => r.test(uri.toString()));
+}
 
 const httpsRequired = localize('httpsRequired', "Images must use the HTTPS protocol.");
 const svgsNotValid = localize('svgsNotValid', "SVGs are not a valid image source.");
@@ -321,7 +326,7 @@ export class ExtensionLinter {
 			diagnostics.push(new Diagnostic(range, message, DiagnosticSeverity.Warning));
 		}
 
-		if (endsWith(uri.path.toLowerCase(), '.svg') && allowedBadgeProviders.indexOf(uri.authority.toLowerCase()) === -1) {
+		if (endsWith(uri.path.toLowerCase(), '.svg') && !isTrustedSVGSource(uri)) {
 			const range = new Range(document.positionAt(begin), document.positionAt(end));
 			diagnostics.push(new Diagnostic(range, svgsNotValid, DiagnosticSeverity.Warning));
 		}

package.json

@@ -1,7 +1,7 @@
 {
   "name": "code-oss-dev",
   "version": "1.47.0",
-  "distro": "4eca5644666fe6fde9d765e71d0ca870f3c076a6",
+  "distro": "6ddb25a97095c2b3a88c3e54cbf7c4657c5bdf4d",
   "author": {
     "name": "Microsoft Corporation"
   },
@@ -181,4 +181,4 @@
     "windows-mutex": "0.3.0",
     "windows-process-tree": "0.2.4"
   }
-}
+}