Skip to content

fix: resolve CodeQL security-and-quality findings#354

Merged
graydawnc merged 1 commit into
mainfrom
fix/codeql-security-quality
Jun 2, 2026
Merged

fix: resolve CodeQL security-and-quality findings#354
graydawnc merged 1 commit into
mainfrom
fix/codeql-security-quality

Conversation

@graydawnc
Copy link
Copy Markdown
Collaborator

@graydawnc graydawnc commented Jun 2, 2026

Clears the open CodeQL code-scanning alerts. Each change is the high-confidence true positive; the lower-value/false-positive alerts (title tag-stripping, internal-only binary-name lookups) were left alone.

Changes

  • redact (mask.ts)internal-host mask now extracts the domain suffix with indexOf + a flat character-class check. The previous end-anchored, nested-quantifier regex backtracked quadratically on input like .-.-.-.-. Output is unchanged for real hostnames.
  • core (spool-prelude.ts)stripSpoolSystemPrelude scans with indexOf instead of /<open>[\s\S]*?<close>/g, which backtracked quadratically when many unterminated open markers appeared. Behavior is identical for normal input; an unterminated marker is left intact.
  • app (snippet.ts) — search-snippet text is HTML-escaped before dangerouslySetInnerHTML, so only the <mark> highlight markers we inject become elements and indexed session content renders as inert text.
  • share-kit (source.ts)decodeEntities now decodes &amp; last, so &amp;lt; resolves to the literal &lt; instead of being double-unescaped to <. The stats CJK character class drops the redundant Hiragana/Katakana sub-ranges (they sit inside U+3000–U+9FFF), removing the overlap warning with no change to what matches.
  • ci (e2e.yml) — added a minimal top-level permissions: contents: read block.
  • e2e fixtures/spec — removed two no-op identity .replace() calls.

Tests

  • Regression tests added for each logic change (snippet escaping, entity-decode order, CJK counting, internal-host masking + ReDoS timing guard, prelude stripping + ReDoS timing guard).
  • Suites run green: redact (135), core (383), share-kit (43), app renderer unit incl. the new snippet test.

@graydawnc @claude
fix: resolve CodeQL security-and-quality findings
3e9f284 
- redact: rewrite the internal-host mask with indexOf + a flat char-class
  test; the previous end-anchored nested-quantifier regex backtracked
  quadratically on input like ".-.-.-.-".
- core: strip the spool-system-prelude marker via indexOf scanning instead
  of a `<open>[\s\S]*?<close>` regex, which backtracked quadratically on
  many unterminated open markers.
- app: HTML-escape search-snippet text before dangerouslySetInnerHTML so
  only the highlight markers we inject become elements; indexed session
  content is shown as inert text.
- share-kit: decode `&amp;` last in decodeEntities so `&amp;lt;` resolves to
  the literal `&lt;` rather than being double-unescaped; replace the
  overly-broad CJK character range with disjoint CJK/kana/hangul blocks.
- ci: add a minimal `contents: read` permissions block to the e2e workflow.
- test(e2e): drop two no-op identity `.replace()` calls.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@graydawnc graydawnc added this pull request to the merge queue Jun 2, 2026
Merged via the queue into main with commit 4da2164 Jun 2, 2026
6 checks passed
@graydawnc graydawnc deleted the fix/codeql-security-quality branch June 2, 2026 15:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@graydawnc