fix: harden HTTP helper, dashboard server, and SSRF hook checks per review feedback#5
Merged
I4cTime merged 2 commits intofeat/network-improvementsfrom Mar 23, 2026
Merged
Conversation
6 tasks
Co-authored-by: I4cTime <24039758+I4cTime@users.noreply.github.com> Agent-Logs-Url: https://github.com/I4cTime/quantum_ring/sessions/f98e4751-fde3-4773-832f-4daaafdb62be
Copilot
AI
changed the title
[WIP] Harden HTTP clients, dashboard server, and hook system
fix: harden HTTP helper, dashboard server, and SSRF hook checks per review feedback
Mar 23, 2026
I4cTime
approved these changes
Mar 23, 2026
I4cTime
added a commit
that referenced
this pull request
Mar 23, 2026
* feat: harden HTTP clients, dashboard server, and hook system - Add shared HTTP helper (src/utils/http-request.ts) with timeout and 64 KiB response body cap; refactor validate.ts and hooks.ts to use it - Fix dashboard route matching to parse URL pathname (query strings no longer break /events and /api/status) - Add SSE broadcast backpressure: drop destroyed or slow clients - Block SSRF on HTTP hooks by default (private/loopback/link-local IP ranges); override with Q_RING_ALLOW_PRIVATE_HOOKS=1 - Remove unnecessary CORS wildcard headers from localhost dashboard - Replace external Google Fonts and remote icon in dashboard HTML with system font stacks and inline SVG for full offline operation - Document SSRF protection in README Made-with: Cursor * fix: harden HTTP helper, dashboard server, and SSRF hook checks per review feedback (#5) * Initial plan * fix: address all 7 review comments on HTTP helper, dashboard, and hooks Co-authored-by: I4cTime <24039758+I4cTime@users.noreply.github.com> Agent-Logs-Url: https://github.com/I4cTime/quantum_ring/sessions/f98e4751-fde3-4773-832f-4daaafdb62be --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: I4cTime <24039758+I4cTime@users.noreply.github.com> --------- Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: I4cTime <24039758+I4cTime@users.noreply.github.com>
I4cTime
added a commit
that referenced
this pull request
Mar 23, 2026
* feat(web): add Next.js site with deploy and CI workflows Made-with: Cursor * feat: harden HTTP clients, dashboard server, and hook system (#4) * feat: harden HTTP clients, dashboard server, and hook system - Add shared HTTP helper (src/utils/http-request.ts) with timeout and 64 KiB response body cap; refactor validate.ts and hooks.ts to use it - Fix dashboard route matching to parse URL pathname (query strings no longer break /events and /api/status) - Add SSE broadcast backpressure: drop destroyed or slow clients - Block SSRF on HTTP hooks by default (private/loopback/link-local IP ranges); override with Q_RING_ALLOW_PRIVATE_HOOKS=1 - Remove unnecessary CORS wildcard headers from localhost dashboard - Replace external Google Fonts and remote icon in dashboard HTML with system font stacks and inline SVG for full offline operation - Document SSRF protection in README Made-with: Cursor * fix: harden HTTP helper, dashboard server, and SSRF hook checks per review feedback (#5) * Initial plan * fix: address all 7 review comments on HTTP helper, dashboard, and hooks Co-authored-by: I4cTime <24039758+I4cTime@users.noreply.github.com> Agent-Logs-Url: https://github.com/I4cTime/quantum_ring/sessions/f98e4751-fde3-4773-832f-4daaafdb62be --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: I4cTime <24039758+I4cTime@users.noreply.github.com> --------- Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: I4cTime <24039758+I4cTime@users.noreply.github.com> * feat(web): Tailwind v4, motion, docs/changelog, mobile nav - Add Tailwind CSS v4 with @theme tokens and PostCSS - Add Framer Motion (motion) FadeIn, StaggerGroup, animated stats - CopyableTerminal with copy buttons; remove RevealObserver - Mobile nav with focus trap, Docs/Changelog routes - Interactive Architecture tooltips and scroll targets - Getting Started (/docs) and Changelog (/changelog) pages - Skip link, main landmark, reduced-motion for WebGL Made-with: Cursor * chore: bump version to v0.4.1 Made-with: Cursor * chore: bump version to v0.9.0 Made-with: Cursor --------- Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: I4cTime <24039758+I4cTime@users.noreply.github.com>
I4cTime
added a commit
that referenced
this pull request
Mar 23, 2026
* feat(web): add Next.js site with deploy and CI workflows Made-with: Cursor * feat: harden HTTP clients, dashboard server, and hook system (#4) * feat: harden HTTP clients, dashboard server, and hook system - Add shared HTTP helper (src/utils/http-request.ts) with timeout and 64 KiB response body cap; refactor validate.ts and hooks.ts to use it - Fix dashboard route matching to parse URL pathname (query strings no longer break /events and /api/status) - Add SSE broadcast backpressure: drop destroyed or slow clients - Block SSRF on HTTP hooks by default (private/loopback/link-local IP ranges); override with Q_RING_ALLOW_PRIVATE_HOOKS=1 - Remove unnecessary CORS wildcard headers from localhost dashboard - Replace external Google Fonts and remote icon in dashboard HTML with system font stacks and inline SVG for full offline operation - Document SSRF protection in README Made-with: Cursor * fix: harden HTTP helper, dashboard server, and SSRF hook checks per review feedback (#5) * Initial plan * fix: address all 7 review comments on HTTP helper, dashboard, and hooks Co-authored-by: I4cTime <24039758+I4cTime@users.noreply.github.com> Agent-Logs-Url: https://github.com/I4cTime/quantum_ring/sessions/f98e4751-fde3-4773-832f-4daaafdb62be --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: I4cTime <24039758+I4cTime@users.noreply.github.com> --------- Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: I4cTime <24039758+I4cTime@users.noreply.github.com> * feat(web): Tailwind v4, motion, docs/changelog, mobile nav - Add Tailwind CSS v4 with @theme tokens and PostCSS - Add Framer Motion (motion) FadeIn, StaggerGroup, animated stats - CopyableTerminal with copy buttons; remove RevealObserver - Mobile nav with focus trap, Docs/Changelog routes - Interactive Architecture tooltips and scroll targets - Getting Started (/docs) and Changelog (/changelog) pages - Skip link, main landmark, reduced-motion for WebGL Made-with: Cursor * chore: bump version to v0.4.1 Made-with: Cursor * chore: bump version to v0.9.0 Made-with: Cursor * docs: add missing Tier 4-6 features to CHANGELOG, web site, and MCP listings (#7) The Tier 4-6 features (composite secrets, approvals, JIT provisioning, exec/redaction, scanner, linter, agent memory, context, governance, team/org scopes, rotation, CI validation, audit verify/export, analytics, wizard, pre-commit hook) were shipped in v0.9.0 but never recorded in the CHANGELOG or reflected on the landing site. - CHANGELOG.md: consolidate 17 missing entries into [0.9.0] - web/app/changelog/page.tsx: match CHANGELOG with full 0.9.0 entry - web/components/McpSection.tsx: add 3 tool groups (15 tools), fix count 31→44 - web/components/Features.tsx: add 11 feature cards, update count 13→24 - web/components/Architecture.tsx: add 8 missing core modules - web/components/Stats.tsx: remove Tiers/Platforms cards, keep MCP Tools + Features Made-with: Cursor --------- Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: I4cTime <24039758+I4cTime@users.noreply.github.com>
I4cTime
added a commit
that referenced
this pull request
Mar 23, 2026
* feat(web): add Next.js site with deploy and CI workflows Made-with: Cursor * feat: harden HTTP clients, dashboard server, and hook system (#4) * feat: harden HTTP clients, dashboard server, and hook system - Add shared HTTP helper (src/utils/http-request.ts) with timeout and 64 KiB response body cap; refactor validate.ts and hooks.ts to use it - Fix dashboard route matching to parse URL pathname (query strings no longer break /events and /api/status) - Add SSE broadcast backpressure: drop destroyed or slow clients - Block SSRF on HTTP hooks by default (private/loopback/link-local IP ranges); override with Q_RING_ALLOW_PRIVATE_HOOKS=1 - Remove unnecessary CORS wildcard headers from localhost dashboard - Replace external Google Fonts and remote icon in dashboard HTML with system font stacks and inline SVG for full offline operation - Document SSRF protection in README Made-with: Cursor * fix: harden HTTP helper, dashboard server, and SSRF hook checks per review feedback (#5) * Initial plan * fix: address all 7 review comments on HTTP helper, dashboard, and hooks Co-authored-by: I4cTime <24039758+I4cTime@users.noreply.github.com> Agent-Logs-Url: https://github.com/I4cTime/quantum_ring/sessions/f98e4751-fde3-4773-832f-4daaafdb62be --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: I4cTime <24039758+I4cTime@users.noreply.github.com> --------- Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: I4cTime <24039758+I4cTime@users.noreply.github.com> * feat(web): Tailwind v4, motion, docs/changelog, mobile nav - Add Tailwind CSS v4 with @theme tokens and PostCSS - Add Framer Motion (motion) FadeIn, StaggerGroup, animated stats - CopyableTerminal with copy buttons; remove RevealObserver - Mobile nav with focus trap, Docs/Changelog routes - Interactive Architecture tooltips and scroll targets - Getting Started (/docs) and Changelog (/changelog) pages - Skip link, main landmark, reduced-motion for WebGL Made-with: Cursor * chore: bump version to v0.4.1 Made-with: Cursor * chore: bump version to v0.9.0 Made-with: Cursor * docs: add missing Tier 4-6 features to CHANGELOG, web site, and MCP listings (#7) The Tier 4-6 features (composite secrets, approvals, JIT provisioning, exec/redaction, scanner, linter, agent memory, context, governance, team/org scopes, rotation, CI validation, audit verify/export, analytics, wizard, pre-commit hook) were shipped in v0.9.0 but never recorded in the CHANGELOG or reflected on the landing site. - CHANGELOG.md: consolidate 17 missing entries into [0.9.0] - web/app/changelog/page.tsx: match CHANGELOG with full 0.9.0 entry - web/components/McpSection.tsx: add 3 tool groups (15 tools), fix count 31→44 - web/components/Features.tsx: add 11 feature cards, update count 13→24 - web/components/Architecture.tsx: add 8 missing core modules - web/components/Stats.tsx: remove Tiers/Platforms cards, keep MCP Tools + Features Made-with: Cursor * chore: bump version to v0.9.1 Made-with: Cursor --------- Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: I4cTime <24039758+I4cTime@users.noreply.github.com>
I4cTime
added a commit
that referenced
this pull request
Mar 26, 2026
- Single-pass regex replacer in parseDotenv() prevents double-unescape of backslash sequences (CodeQL js/double-escaping alert #14) - Add picomatch >=4.0.4 override to web/package.json (Dependabot #3, #5) - Remove stale package-lock.json + add to .gitignore (Dependabot #2) - Add 8 parseDotenv unit tests covering escape edge cases Made-with: Cursor
I4cTime
added a commit
that referenced
this pull request
Mar 26, 2026
- Single-pass regex replacer in parseDotenv() prevents double-unescape of backslash sequences (CodeQL js/double-escaping alert #14) - Add picomatch >=4.0.4 override to web/package.json (Dependabot #3, #5) - Remove stale package-lock.json + add to .gitignore (Dependabot #2) - Add 8 parseDotenv unit tests covering escape edge cases Made-with: Cursor
I4cTime
added a commit
that referenced
this pull request
Mar 26, 2026
* Add Vitest test suite and Homebrew tap automation (#30) - Install vitest, add test/test:ci scripts and vitest.config.ts - 125 tests across 17 files covering core modules, CLI, and MCP - Add test step to CI workflow - Create update-homebrew.yml to auto-update I4cTime/homebrew-tap on release Made-with: Cursor * chore: bump version to v0.9.4 (#31) Made-with: Cursor * feat: Cursor marketplace plugin + Homebrew/plugin docs (#33) * feat: add Cursor marketplace plugin and update README/web with Homebrew + plugin info - Create cursor-plugin/ with plugin.json manifest, 3 rules, 4 skills, 2 agents, 5 commands, hooks.json, .mcp.json, and README - Add .cursor-plugin/marketplace.json at repo root for monorepo discovery - Update README.md with Homebrew install option and Cursor Plugin section - Add Homebrew tab to web Hero and docs install commands - Create CursorPlugin.tsx homepage section component - Add Plugin nav link, update Footer version to v0.9.4 - Add Cursor Plugin step to docs page - Remove beforeShellExecution hook (causes circular block with Cursor metadata) Made-with: Cursor * fix: resolve picomatch audit + update changelogs for v0.9.5 - Add pnpm override for picomatch >=4.0.4 (ReDoS + method injection) - Add v0.9.5 entry to CHANGELOG.md (Cursor plugin, Homebrew docs, audit fix) - Sync web changelog with v0.9.2–v0.9.5 entries Made-with: Cursor * chore: bump version to v0.9.5 Made-with: Cursor * fix: resolve double-escaping vulnerability and picomatch alerts (#35) - Single-pass regex replacer in parseDotenv() prevents double-unescape of backslash sequences (CodeQL js/double-escaping alert #14) - Add picomatch >=4.0.4 override to web/package.json (Dependabot #3, #5) - Remove stale package-lock.json + add to .gitignore (Dependabot #2) - Add 8 parseDotenv unit tests covering escape edge cases Made-with: Cursor * chore: bump version to v0.9.6 Made-with: Cursor
I4cTime
added a commit
that referenced
this pull request
Mar 26, 2026
* Add Vitest test suite and Homebrew tap automation (#30) - Install vitest, add test/test:ci scripts and vitest.config.ts - 125 tests across 17 files covering core modules, CLI, and MCP - Add test step to CI workflow - Create update-homebrew.yml to auto-update I4cTime/homebrew-tap on release Made-with: Cursor * chore: bump version to v0.9.4 (#31) Made-with: Cursor * feat: Cursor marketplace plugin + Homebrew/plugin docs (#33) * feat: add Cursor marketplace plugin and update README/web with Homebrew + plugin info - Create cursor-plugin/ with plugin.json manifest, 3 rules, 4 skills, 2 agents, 5 commands, hooks.json, .mcp.json, and README - Add .cursor-plugin/marketplace.json at repo root for monorepo discovery - Update README.md with Homebrew install option and Cursor Plugin section - Add Homebrew tab to web Hero and docs install commands - Create CursorPlugin.tsx homepage section component - Add Plugin nav link, update Footer version to v0.9.4 - Add Cursor Plugin step to docs page - Remove beforeShellExecution hook (causes circular block with Cursor metadata) Made-with: Cursor * fix: resolve picomatch audit + update changelogs for v0.9.5 - Add pnpm override for picomatch >=4.0.4 (ReDoS + method injection) - Add v0.9.5 entry to CHANGELOG.md (Cursor plugin, Homebrew docs, audit fix) - Sync web changelog with v0.9.2–v0.9.5 entries Made-with: Cursor * chore: bump version to v0.9.5 Made-with: Cursor * fix: resolve double-escaping vulnerability and picomatch alerts (#35) - Single-pass regex replacer in parseDotenv() prevents double-unescape of backslash sequences (CodeQL js/double-escaping alert #14) - Add picomatch >=4.0.4 override to web/package.json (Dependabot #3, #5) - Remove stale package-lock.json + add to .gitignore (Dependabot #2) - Add 8 parseDotenv unit tests covering escape edge cases Made-with: Cursor * chore: bump version to v0.9.6 Made-with: Cursor * fix: nav anchor links now route back to homepage from /docs and /changelog (#37) Replace plain <a> tags with Next.js <Link> for all nav items so /#hash links perform client-side navigation to / before scrolling to the target section, instead of looking for anchors on the current page. Made-with: Cursor * chore: bump version to v0.9.7 Made-with: Cursor
I4cTime
added a commit
that referenced
this pull request
Mar 28, 2026
* Add Vitest test suite and Homebrew tap automation (#30) - Install vitest, add test/test:ci scripts and vitest.config.ts - 125 tests across 17 files covering core modules, CLI, and MCP - Add test step to CI workflow - Create update-homebrew.yml to auto-update I4cTime/homebrew-tap on release Made-with: Cursor * chore: bump version to v0.9.4 (#31) Made-with: Cursor * feat: Cursor marketplace plugin + Homebrew/plugin docs (#33) * feat: add Cursor marketplace plugin and update README/web with Homebrew + plugin info - Create cursor-plugin/ with plugin.json manifest, 3 rules, 4 skills, 2 agents, 5 commands, hooks.json, .mcp.json, and README - Add .cursor-plugin/marketplace.json at repo root for monorepo discovery - Update README.md with Homebrew install option and Cursor Plugin section - Add Homebrew tab to web Hero and docs install commands - Create CursorPlugin.tsx homepage section component - Add Plugin nav link, update Footer version to v0.9.4 - Add Cursor Plugin step to docs page - Remove beforeShellExecution hook (causes circular block with Cursor metadata) Made-with: Cursor * fix: resolve picomatch audit + update changelogs for v0.9.5 - Add pnpm override for picomatch >=4.0.4 (ReDoS + method injection) - Add v0.9.5 entry to CHANGELOG.md (Cursor plugin, Homebrew docs, audit fix) - Sync web changelog with v0.9.2–v0.9.5 entries Made-with: Cursor * chore: bump version to v0.9.5 Made-with: Cursor * fix: resolve double-escaping vulnerability and picomatch alerts (#35) - Single-pass regex replacer in parseDotenv() prevents double-unescape of backslash sequences (CodeQL js/double-escaping alert #14) - Add picomatch >=4.0.4 override to web/package.json (Dependabot #3, #5) - Remove stale package-lock.json + add to .gitignore (Dependabot #2) - Add 8 parseDotenv unit tests covering escape edge cases Made-with: Cursor * chore: bump version to v0.9.6 Made-with: Cursor * fix: nav anchor links now route back to homepage from /docs and /changelog (#37) Replace plain <a> tags with Next.js <Link> for all nav items so /#hash links perform client-side navigation to / before scrolling to the target section, instead of looking for anchors on the current page. Made-with: Cursor * chore: bump version to v0.9.7 Made-with: Cursor * OWASP Full Remediation — v0.9.8 Security Release (#39) * security: OWASP full remediation for v0.9.8 - Extract SSRF guard into shared src/core/ssrf.ts, apply to validate.ts and provision.ts - Fix shell injection in hooks.ts: spawn("pgrep") replaces exec("pgrep -f ...") - Fix dashboard XSS: escape e.action in renderAudit - Enforce checkKeyReadPolicy on listSecrets, exportSecrets, hasSecret, deleteSecret, getEnvelope - Replace Math.random with crypto.randomBytes for tunnel IDs - Store memory encryption key in OS keyring with legacy migration/fallback - Escape regex metacharacters in glob-to-regex (server.ts, hooks.ts) - Use word-boundary regex for exec profile denyCommands - Add path-to-regexp and brace-expansion pnpm overrides - Add CSP meta tag to web layout - Add SSRF test suite (12 tests) and tunnel ID uniqueness test - Version bump to 0.9.8, update CHANGELOG and web changelog Made-with: Cursor * fix: remove brace-expansion override — incompatible with minimatch@3 API brace-expansion v5 breaks minimatch@3.1.5 (used by ESLint) which expects the v1.x API. This is an upstream transitive dependency that cannot be overridden without breaking the linter. Made-with: Cursor
I4cTime
added a commit
that referenced
this pull request
Apr 9, 2026
* Add Vitest test suite and Homebrew tap automation (#30) - Install vitest, add test/test:ci scripts and vitest.config.ts - 125 tests across 17 files covering core modules, CLI, and MCP - Add test step to CI workflow - Create update-homebrew.yml to auto-update I4cTime/homebrew-tap on release Made-with: Cursor * chore: bump version to v0.9.4 (#31) Made-with: Cursor * feat: Cursor marketplace plugin + Homebrew/plugin docs (#33) * feat: add Cursor marketplace plugin and update README/web with Homebrew + plugin info - Create cursor-plugin/ with plugin.json manifest, 3 rules, 4 skills, 2 agents, 5 commands, hooks.json, .mcp.json, and README - Add .cursor-plugin/marketplace.json at repo root for monorepo discovery - Update README.md with Homebrew install option and Cursor Plugin section - Add Homebrew tab to web Hero and docs install commands - Create CursorPlugin.tsx homepage section component - Add Plugin nav link, update Footer version to v0.9.4 - Add Cursor Plugin step to docs page - Remove beforeShellExecution hook (causes circular block with Cursor metadata) Made-with: Cursor * fix: resolve picomatch audit + update changelogs for v0.9.5 - Add pnpm override for picomatch >=4.0.4 (ReDoS + method injection) - Add v0.9.5 entry to CHANGELOG.md (Cursor plugin, Homebrew docs, audit fix) - Sync web changelog with v0.9.2–v0.9.5 entries Made-with: Cursor * chore: bump version to v0.9.5 Made-with: Cursor * fix: resolve double-escaping vulnerability and picomatch alerts (#35) - Single-pass regex replacer in parseDotenv() prevents double-unescape of backslash sequences (CodeQL js/double-escaping alert #14) - Add picomatch >=4.0.4 override to web/package.json (Dependabot #3, #5) - Remove stale package-lock.json + add to .gitignore (Dependabot #2) - Add 8 parseDotenv unit tests covering escape edge cases Made-with: Cursor * chore: bump version to v0.9.6 Made-with: Cursor * fix: nav anchor links now route back to homepage from /docs and /changelog (#37) Replace plain <a> tags with Next.js <Link> for all nav items so /#hash links perform client-side navigation to / before scrolling to the target section, instead of looking for anchors on the current page. Made-with: Cursor * chore: bump version to v0.9.7 Made-with: Cursor * OWASP Full Remediation — v0.9.8 Security Release (#39) * security: OWASP full remediation for v0.9.8 - Extract SSRF guard into shared src/core/ssrf.ts, apply to validate.ts and provision.ts - Fix shell injection in hooks.ts: spawn("pgrep") replaces exec("pgrep -f ...") - Fix dashboard XSS: escape e.action in renderAudit - Enforce checkKeyReadPolicy on listSecrets, exportSecrets, hasSecret, deleteSecret, getEnvelope - Replace Math.random with crypto.randomBytes for tunnel IDs - Store memory encryption key in OS keyring with legacy migration/fallback - Escape regex metacharacters in glob-to-regex (server.ts, hooks.ts) - Use word-boundary regex for exec profile denyCommands - Add path-to-regexp and brace-expansion pnpm overrides - Add CSP meta tag to web layout - Add SSRF test suite (12 tests) and tunnel ID uniqueness test - Version bump to 0.9.8, update CHANGELOG and web changelog Made-with: Cursor * fix: remove brace-expansion override — incompatible with minimatch@3 API brace-expansion v5 breaks minimatch@3.1.5 (used by ESLint) which expects the v1.x API. This is an upstream transitive dependency that cannot be overridden without breaking the linter. Made-with: Cursor * security: fix hono, @hono/node-server, and vite vulnerabilities (#41) Add pnpm overrides to resolve 9 Dependabot alerts: - hono >=4.12.12 (5 medium: cookie bypass, IP matching, serveStatic traversal, toSSG path traversal) - @hono/node-server >=1.19.13 (1 medium: serveStatic bypass) - vite >=8.0.5 (2 high: fs.deny bypass, WebSocket file read; 1 medium: optimized deps .map traversal) All are transitive dependencies (hono via @modelcontextprotocol/sdk, vite via vitest). Fresh lockfile regenerated. Made-with: Cursor * chore: bump version to v0.9.9 (#42) Security patch release — hono, @hono/node-server, and vite pnpm overrides to resolve 9 Dependabot alerts. Made-with: Cursor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Addresses seven review findings from the initial hardening PR covering protocol validation, promise settlement, connection leak prevention, accessibility, and SSRF bypass vectors.
Changes
http-request.ts— protocol guard: Reject immediately for any non-http:/https:scheme instead of falling through to a confusing runtime error.http-request.ts— Promise always settles: Addedsettled/failguards with explicitres.on('error')andres.on('close')handlers; previously a mid-body TCP reset could leave the Promise pending indefinitely.dashboard.ts— malformed URL → 400:new URL(req.url, …)now wrapped in try/catch; returns400 Bad Requestinstead of crashing the server on invalid percent-encoding.dashboard.ts— SSE connection leak: Slow-client removal (backpressure and error paths) now callsres.end()/res.destroy()so the socket is closed rather than left hanging with the browser stalled.dashboard-html.ts— SVG accessibility: Addedaria-hidden="true" focusable="false"to the decorative header SVG.hooks.ts— IPv4-mapped IPv6 bypass:isPrivateIP()now normalises::ffff:<ipv4>addresses (with a strict per-octet 0–255 regex) before checking, closing the SSRF bypass via e.g.::ffff:127.0.0.1.hooks.ts— DNS multi-address check:checkSSRF()useslookup(hostname, { all: true })and blocks if any returned A/AAAA record is private, preventing single-record selection bypass.🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.