fix: CodeQL 보안 취약점 8건 수정#262
Merged
sdk-kr merged 4 commits intoMar 6, 2026
Merged
Conversation
- content-transform: 중첩 태그 제거, 동영상 URL 변환 - html-entity-decode: 이중 언이스케이프 방지, XSS 방지 - url-hostname-validation: 부분문자열 도메인 위장 차단 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- #69,#70 Double escaping: 단일 패스 entity 디코딩 (amazon, kkday) - #66,#67,#68 URL substring sanitization: hostname 파싱 검증 (coupang, aliexpress) - #71,#65 Incomplete multi-char sanitization: 단일 패스 디코딩 (new-posts, activity) - #63 Incomplete tag stripping: loop-until-stable 방식 (content-transform) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
content-transform.test.ts 충돌 해결: main의 코드블록 테스트와 PR 브랜치의 보안 테스트를 모두 병합
sdk-kr
pushed a commit
that referenced
this pull request
Mar 7, 2026
## Summary - CodeQL Code Scanning에서 탐지된 보안 취약점 8건 수정 - 수정 검증을 위한 단위 테스트 39건 추가 (vitest 181건 전체 통과) ## 수정 내역 | Alert | 규칙 | 파일 | 수정 방법 | |-------|------|------|-----------| | [69](https://github.com/damoang/angple/security/code-scanning/69), [70](https://github.com/damoang/angple/security/code-scanning/70) | Double escaping | amazon.ts, kkday.ts | 체이닝 `.replace()` → 단일 패스 정규식 | | [66](https://github.com/damoang/angple/security/code-scanning/66), [67](https://github.com/damoang/angple/security/code-scanning/67), [68](https://github.com/damoang/angple/security/code-scanning/68) | Incomplete URL substring sanitization | coupang.ts, aliexpress.ts | `.includes()` → `new URL()` hostname 검증 | | [71](https://github.com/damoang/angple/security/code-scanning/71), [65](https://github.com/damoang/angple/security/code-scanning/65) | Incomplete multi-character sanitization | new-posts.ts, activity/+server.ts | 체이닝 entity 디코딩 → 단일 패스 | | [63](https://github.com/damoang/angple/security/code-scanning/63) | Incomplete multi-character sanitization | content-transform.ts | 태그 제거 loop-until-stable | ## 미해결 (Trivy 4건) - Alert 72~75: Docker 베이스 이미지 내장 npm 패키지(`tar`, `minimatch`) 취약점 - 최신 `node:lts-alpine`에도 아직 패치 미포함 — npm upstream 릴리스 대기 ## Test plan - [x] `pnpm vitest run --project server` 전체 통과 (181/181) - [ ] CodeQL 재스캔으로 알림 해소 확인 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Deploy Bot <deploy@damoang.net>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
수정 내역
.replace()→ 단일 패스 정규식.includes()→new URL()hostname 검증미해결 (Trivy 4건)
tar,minimatch) 취약점node:lts-alpine에도 아직 패치 미포함 — npm upstream 릴리스 대기Test plan
pnpm vitest run --project server전체 통과 (181/181)🤖 Generated with Claude Code