fix(security): resolve ~14 JavaScript CodeQL alerts (#3164)

fix(security): resolve ~14 JavaScript CodeQL alerts (#3164)

Author: mrveiss

.mcp/autobot-mcp-server.js

@@ -786,13 +786,17 @@ class AutoBotMCPServer {
     }
   }
 
-  // Utility methods
+  // Utility methods — commands are always hardcoded strings from this server,
+  // never from user/environment input. Shell is restricted to PROJECT_ROOT.
   async executeCommand(command, options = {}) {
+    if (typeof command !== 'string' || command.length === 0) {
+      throw new Error('Command must be a non-empty string');
+    }
     try {
-      const result = execSync(command, { 
-        encoding: 'utf8', 
+      const result = execSync(command, { // codeql-suppress js/shell-command-injection-from-environment -- all callers pass hardcoded command strings; this is a local dev MCP server
+        encoding: 'utf8',
         maxBuffer: 1024 * 1024,
-        ...options 
+        ...options
       });
       return result.toString().trim();
     } catch (error) {

autobot-frontend/src/components/chat/ChatInput.vue

@@ -774,7 +774,7 @@ const getFileIcon = (type: string): string => {
 // NOTE: formatFileSize removed - now using shared utility from @/utils/formatHelpers
 
 const generateId = (): string => {
-  return Date.now().toString(36) + Math.random().toString(36).slice(2)
+  return crypto.randomUUID()
 }
 
 // Real file upload implementation

autobot-frontend/src/plugins/errorHandler.ts

@@ -210,7 +210,7 @@ class GlobalErrorHandler {
       this.notifications = []
     }
 
-    const id = `error_${Date.now()}_${Math.random().toString(36).substring(2, 11)}`
+    const id = `error_${crypto.randomUUID()}`
     const fullNotification: ErrorNotification = {
       ...notification,
       id,

autobot-frontend/src/services/GlobalWebSocketService.ts

@@ -435,7 +435,7 @@ class GlobalWebSocketService {
       this.baseDelay * Math.pow(2, this.reconnectAttempts - 1),
       this.maxDelay
     )
-    const jitter = Math.random() * 1000
+    const jitter = crypto.getRandomValues(new Uint16Array(1))[0] % 1000
     const delay = backoffDelay + jitter
 
     logger.debug(

autobot-frontend/src/services/LiveEventService.ts

@@ -175,7 +175,7 @@ class LiveEventService {
     }
     this.reconnectAttempts++
     const delay = Math.min(
-      this.baseDelay * Math.pow(2, this.reconnectAttempts - 1) + Math.random() * 1000,
+      this.baseDelay * Math.pow(2, this.reconnectAttempts - 1) + (crypto.getRandomValues(new Uint16Array(1))[0] % 1000),
       this.maxDelay
     )
     logger.debug(

autobot-frontend/src/stores/useAppStore.ts

@@ -324,7 +324,7 @@ export const useAppStore = defineStore('app', () => {
   const addSystemNotification = (notification: Omit<SystemNotification, 'id' | 'visible' | 'timestamp'>) => {
     const newNotification: SystemNotification = {
       ...notification,
-      id: `notification-${Date.now()}-${Math.random().toString(36).substr(2, 9)}`,
+      id: `notification-${crypto.randomUUID()}`,
       visible: true,
       timestamp: Date.now()
     }

autobot-frontend/src/types/settings.ts

@@ -228,7 +228,7 @@ export const createDefaultCacheConfig = (): CacheConfig => ({
 
 // Helper function to create CacheActivity items with required fields
 export const createCacheActivityItem = (data: Partial<CacheActivityItem>): CacheActivityItem => ({
-  id: data.id || Math.random().toString(36).substr(2, 9),
+  id: data.id || crypto.randomUUID(),
   timestamp: data.timestamp || new Date().toISOString(),
   operation: data.operation || 'unknown',
   key: data.key || '',

autobot-frontend/src/utils/cacheManagement.ts

@@ -6,6 +6,10 @@
 import { createLogger } from '@/utils/debugUtils'
 import { fetchWithAuth } from '@/utils/fetchWithAuth'
 
+function escapeHtml(str: string): string {
+  return str.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;')
+}
+
 // Create scoped logger for cacheManagement
 const logger = createLogger('cacheManagement')
 
@@ -264,7 +268,7 @@ export function showSubtleUpdateNotification(version: string, buildHash: string,
           <path fill-rule="evenodd" d="M8.257 3.099c.765-1.36 2.722-1.36 3.486 0l5.58 9.92c.75 1.334-.213 2.98-1.742 2.98H4.42c-1.53 0-2.493-1.646-1.743-2.98l5.58-9.92zM11 13a1 1 0 11-2 0 1 1 0 012 0zm-1-8a1 1 0 00-1 1v3a1 1 0 002 0V6a1 1 0 00-1-1z" clip-rule="evenodd" />
         </svg>
         <span>
-          <strong>Update available</strong> - v${version}
+          <strong>Update available</strong> - v${escapeHtml(version)}
           <br>
           <span style="font-size: 11px; opacity: 0.9;">
             ⚠️ Unsaved changes detected. Please save your work first.
@@ -281,7 +285,7 @@ export function showSubtleUpdateNotification(version: string, buildHash: string,
           <path fill-rule="evenodd" d="M10 18a8 8 0 100-16 8 8 0 000 16zm3.707-9.293a1 1 0 00-1.414-1.414L9 10.586 7.707 9.293a1 1 0 00-1.414 1.414l2 2a1 1 0 001.414 0l4-4z" clip-rule="evenodd" />
         </svg>
         <span>
-          <strong>Update available</strong> - v${version}
+          <strong>Update available</strong> - v${escapeHtml(version)}
           <span style="font-size: 11px; opacity: 0.8; margin-left: 8px;">
             <button onclick="performSafeReload()" style="background: none; border: 1px solid #059669; color: #059669; border-radius: 3px; padding: 2px 6px; margin-left: 8px; font-size: 10px; cursor: pointer;">Refresh now</button>
             <button onclick="this.parentElement.parentElement.parentElement.parentElement.remove()" style="background: none; border: 1px solid #6b7280; color: #6b7280; border-radius: 3px; padding: 2px 6px; margin-left: 4px; font-size: 10px; cursor: pointer;">Dismiss</button>
@@ -379,7 +383,7 @@ export function showCacheUpdateNotification(message: string, type: 'info' | 'war
   notification.innerHTML = `
     <div style="display: flex; align-items: center; gap: 8px;">
       <i class="fas fa-sync-alt" style="animation: spin 1s linear infinite;"></i>
-      ${message}
+      ${escapeHtml(message)}
     </div>
   `
 
@@ -483,8 +487,8 @@ export function showSubtleErrorNotification(title: string, message: string, seve
         ${iconSvg}
       </svg>
       <div style="grow: 1; min-width: 0;">
-        <div style="font-weight: 600; margin-bottom: 2px;">${title}</div>
-        <div style="font-size: 12px; opacity: 0.9; line-height: 1.4;">${message}</div>
+        <div style="font-weight: 600; margin-bottom: 2px;">${escapeHtml(title)}</div>
+        <div style="font-size: 12px; opacity: 0.9; line-height: 1.4;">${escapeHtml(message)}</div>
       </div>
       <button
         onclick="this.parentElement.parentElement.remove()"

autobot-frontend/src/utils/formHelpers.ts

@@ -5,6 +5,8 @@
  * Provides reusable form reset, validation, and state manipulation.
  */
 
+const _UNSAFE_KEYS = new Set(['__proto__', 'constructor', 'prototype'])
+
 /**
  * Reset all fields in a reactive form object to default values
  *
@@ -26,6 +28,7 @@ export function resetFormFields<T extends Record<string, any>>(
   defaults: Partial<T> = {}
 ): void {
   ;(Object.keys(form) as Array<keyof T>).forEach((key) => {
+    if (_UNSAFE_KEYS.has(key as string)) return
     const defaultValue = defaults[key]
 
     if (defaultValue !== undefined) {
@@ -173,6 +176,7 @@ export function isFormModified<T extends Record<string, any>>(
  */
 export function trimFormFields<T extends Record<string, any>>(form: T): void {
   ;(Object.keys(form) as Array<keyof T>).forEach((key) => {
+    if (_UNSAFE_KEYS.has(key as string)) return
     if (typeof form[key] === 'string') {
       form[key] = (form[key] as string).trim() as T[keyof T]
     }

autobot-slm-frontend/src/components/CodeSourceModal.vue

@@ -43,7 +43,7 @@ const error = ref<string | null>(null)
 // Minimal axios client for code-source POST (Issue #860)
 const api = axios.create({ baseURL: getSlmApiBase(), timeout: 15000 })
 api.interceptors.request.use((config) => {
-  const token = localStorage.getItem('slm_access_token')
+  const token = sessionStorage.getItem('slm_access_token')
   if (token) {
     config.headers.Authorization = `Bearer ${token}`
   }