Command injection (real fix): - which.ts: switch to array-args execa, remove shell:true - execFileNoThrowPortable/execSyncWrapper/imagePaste/execFileNoThrow: security comments Log injection: - handlers/mcp.tsx: security comments (secrets already redacted) ReDoS: - debugFilter.ts: split regex, add input length guard Sanitization bypass: - stripHtml.ts: loop-based script/style removal - claudemd.ts: loop-based HTML comment stripping - sedEditParser.ts: single-pass char scan replaces chained replaces - bingAdapter.ts: URL.hostname comparison instead of string includes Tests: 3068 pass, 0 fail |
||
|---|---|---|
| .. | ||
| @ant | ||
| acp-link | ||
| agent-tools | ||
| audio-capture-napi | ||
| builtin-tools | ||
| color-diff-napi | ||
| image-processor-napi | ||
| mcp-client | ||
| modifiers-napi | ||
| remote-control-server | ||
| url-handler-napi | ||
| weixin | ||
| tsconfig.json | ||