fix: resolve two code-scanning alerts#29
Merged
Merged
Conversation
- ci.yml: add an explicit least-privilege `permissions: contents: read` block (alert: actions/missing-workflow-permissions). The workflow only builds and tests, so no write scopes are needed. - botwire-js client: replace the trailing-slash strip `/\/+$/` with a linear scan (alert: js/polynomial-redos). The regex backtracks quadratically on a long run of slashes in attacker-influenced endpoint input; behaviour is unchanged (29 SDK tests pass). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
adamy
added a commit
that referenced
this pull request
Jun 17, 2026
The AspNetCore embedded botwire.js was last built before the js/polynomial-redos fix in client.ts (#29) and so still shipped the vulnerable /\/+$/ strip. Rebuild from the fixed source so the bundled widget (and the 0.3.0 NuGet package) uses the linear helper. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves both open code-scanning alerts. Pre-existing issues, unrelated to the Redis feature PR (#28), so split into their own branch off
main.Alert #1 —
actions/missing-workflow-permissions(medium).github/workflows/ci.yml had no
permissionsblock, soGITHUB_TOKENdefaulted to broad scopes. Added an explicit least-privilege block — the workflow only builds and tests:Alert #2 —
js/polynomial-redos(high)npm/botwire-js/src/client.ts:48 stripped trailing slashes with
/\/+$/, which backtracks quadratically on a long run of/in caller-influencedendpointinput (ReDoS). Replaced with a linear end-scan helper. Behaviour identical.Testing
botwire-js:npm run build(tsc) +npm test— 29 tests pass.🤖 Generated with Claude Code