fix: security audit remediation — 12 fixes, 20 tests (v0.13.1.0)#595
Open
fix: security audit remediation — 12 fixes, 20 tests (v0.13.1.0)#595
Conversation
…ICAL-02 + HIGH-03) - Remove token from /health response (was leaked to any localhost process) - Write .auth.json to extension dir for Manifest V3 bootstrap - sidebar-agent reads token from state file via BROWSE_STATE_FILE env var - Remove getToken handler from extension (token via health broadcast) - Extension loads token before first health poll to prevent race condition
- Add Bearer token auth gate on all /cookie-picker/* data/action routes - GET /cookie-picker HTML page stays unauthenticated (UI shell) - Token embedded in served HTML for picker's fetch calls - CORS preflight now allows Authorization header
- Add savedAt timestamp to state save output - Warn on load if state file older than 7 days - Auto-delete stale state files (>7 days) on server startup - Warning about plaintext cookie storage in save message
- content.js: replace innerHTML with createElement/textContent for ref panel - sidepanel.js: escape entry.command with escapeHtml() in activity feed - Both found by security audit + Codex adversarial red team
- Always resolve to absolute path first (fixes relative path bypass) - Use realpathSync to follow symlinks before boundary check - Throw on non-ENOENT realpathSync failures (explicit over silent) - Resolve SAFE_DIRECTORIES through realpathSync (macOS /tmp → /private/tmp) - Resolve directory part for non-existent files (ENOENT with symlinked parent)
- Add POSIX-portable path resolution (cd + pwd -P, works on macOS) - Fix prefix collision: /project-evil no longer matches /project freeze dir - Use trailing slash in boundary check to require directory boundary
- gstack-config: validate keys (alphanumeric+underscore only) - gstack-config: use grep -F (fixed string) instead of -E (regex) - gstack-config: escape sed special chars in values, drop newlines - gstack-telemetry-log: sanitize REPO_SLUG and BRANCH via json_safe()
- server-auth: verify token removed from /health, auth on /refs, /activity/* - cookie-picker: auth required on data routes, HTML page unauthenticated - path-validation: symlink bypass blocked, realpathSync failure throws - gstack-config: regex key rejected, sed special chars preserved - state-ttl: savedAt timestamp, 7-day TTL warning - telemetry: branch/repo with quotes don't corrupt JSON - adversarial: sidepanel escapes entry.command, freeze prefix collision
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
E2E Evals: ✅ PASS8/8 tests passed | $.99 total cost | 12 parallel runners
12x ubicloud-standard-2 (Docker: pre-baked toolchain + deps) | wall clock ≈ slowest suite |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Independent security audit found 10 issues (2 critical, 4 high, 4 medium). All fixed, plus 2 additional issues found by Codex adversarial red team. 4 AI review passes (2 outside voice + 2 adversarial from both Codex and Claude).
Auth hardening:
/healthresponse. Extension bootstraps via.auth.jsonfile/refs,/activity/stream,/activity/historygetTokenhandler removed from extensionData protection:
state saveXSS prevention:
content.jsentry.commandescaped withescapeHtml()insidepanel.js(Codex adversarial finding)Path validation:
validateReadPathrewritten: always resolves to absolute, usesrealpathSync, handles macOS/tmpsymlinkShell injection:
gstack-config: key validation, grep -F, sed escaping, newline droppinggstack-telemetry-log:json_safe()on REPO_SLUG and BRANCHTest Coverage
20 new security regression tests across 7 test files. All pass.
Pre-Landing Review
Eng review ran during planning (CLEAR). Pre-landing review via /ship.
Adversarial Review
4 passes: Codex outside voice + Claude outside voice + Codex adversarial + Claude adversarial. Codex adversarial found 2 additional issues (sidepanel XSS, freeze prefix collision) — both fixed.
Plan Completion
All 10 audit findings + 2 adversarial findings addressed. 20 tests written (plan specified 20).
Test plan
🤖 Generated with Claude Code