Skip to content

fix: resolve two code-scanning alerts#29

Merged
adamy merged 1 commit into
mainfrom
fix/code-scanning-alerts
Jun 17, 2026
Merged

fix: resolve two code-scanning alerts#29
adamy merged 1 commit into
mainfrom
fix/code-scanning-alerts

Conversation

@adamy

@adamy adamy commented Jun 17, 2026

Copy link
Copy Markdown
Owner

Resolves both open code-scanning alerts. Pre-existing issues, unrelated to the Redis feature PR (#28), so split into their own branch off main.

Alert #1actions/missing-workflow-permissions (medium)

.github/workflows/ci.yml had no permissions block, so GITHUB_TOKEN defaulted to broad scopes. Added an explicit least-privilege block — the workflow only builds and tests:

permissions:
  contents: read

Alert #2js/polynomial-redos (high)

npm/botwire-js/src/client.ts:48 stripped trailing slashes with /\/+$/, which backtracks quadratically on a long run of / in caller-influenced endpoint input (ReDoS). Replaced with a linear end-scan helper. Behaviour identical.

Testing

  • botwire-js: npm run build (tsc) + npm test — 29 tests pass.

🤖 Generated with Claude Code

- ci.yml: add an explicit least-privilege `permissions: contents: read`
  block (alert: actions/missing-workflow-permissions). The workflow only
  builds and tests, so no write scopes are needed.
- botwire-js client: replace the trailing-slash strip `/\/+$/` with a
  linear scan (alert: js/polynomial-redos). The regex backtracks
  quadratically on a long run of slashes in attacker-influenced endpoint
  input; behaviour is unchanged (29 SDK tests pass).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@adamy adamy merged commit 8287ecd into main Jun 17, 2026
5 checks passed
adamy added a commit that referenced this pull request Jun 17, 2026
The AspNetCore embedded botwire.js was last built before the
js/polynomial-redos fix in client.ts (#29) and so still shipped the
vulnerable /\/+$/ strip. Rebuild from the fixed source so the bundled
widget (and the 0.3.0 NuGet package) uses the linear helper.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@adamy adamy deleted the fix/code-scanning-alerts branch June 17, 2026 09:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant