James Feng
|
70bc47eadc
|
fix(security): Phase 4 — fix remaining reachable CodeQL alerts
Command injection (real fix):
- which.ts: switch to array-args execa, remove shell:true
- execFileNoThrowPortable/execSyncWrapper/imagePaste/execFileNoThrow: security comments
Log injection:
- handlers/mcp.tsx: security comments (secrets already redacted)
ReDoS:
- debugFilter.ts: split regex, add input length guard
Sanitization bypass:
- stripHtml.ts: loop-based script/style removal
- claudemd.ts: loop-based HTML comment stripping
- sedEditParser.ts: single-pass char scan replaces chained replaces
- bingAdapter.ts: URL.hostname comparison instead of string includes
Tests: 3068 pass, 0 fail
|
2026-06-03 19:51:17 +08:00 |
|