Skip to content

fix: address code audit findings (C1-C4, I1, I4, I6)#981

Merged
jackwener merged 2 commits intomainfrom
fix/code-audit-issues
Apr 13, 2026
Merged

fix: address code audit findings (C1-C4, I1, I4, I6)#981
jackwener merged 2 commits intomainfrom
fix/code-audit-issues

Conversation

@jackwener
Copy link
Copy Markdown
Owner

@jackwener jackwener commented Apr 13, 2026

Summary

Fixes 7 issues identified in the systematic code audit:

Security (Critical)

  • C1: Fix page.evaluate injection in browser type/browser select commands and 6 adapter files (barchart/flow, barchart/greeks, barchart/options, barchart/quote, reuters/search, yahoo-finance/quote). User input was interpolated directly into JS template literals — now uses JSON.stringify().
  • C2: Close WebSocket on CDP connect timeout to prevent resource leak in src/browser/cdp.ts.
  • C3: Reject CDP connect promise on Page.enable failure instead of silently swallowing the error.

Reliability (Critical + Important)

  • C4: Guard against corrupted adapter-manifest.json hashes to prevent false-positive override deletion in scripts/fetch-adapters.js.
  • I1: Throw CommandExecutionError on pre-navigation failure instead of warn-and-continue in src/execution.ts.
  • I4: Use Map<string, Promise<void>> for lazy module loading to prevent concurrent double-imports of the same adapter.

Performance (Important)

  • I6: Replace O(n) full-table registry alias scan with O(k) direct deletion using stored aliases array in src/registry.ts.

Test plan

  • TypeScript typecheck passes
  • 34 unit tests pass (src/engine.test.ts + src/registry.test.ts)
  • Manual: opencli browser type with special characters in selector index
  • Manual: opencli barchart flow / yahoo-finance quote AAPL with quotes in args

@jackwener
fix: address code audit findings (C1-C4, I1, I4, I6)
0dce60d 
Security:
- C1: Fix page.evaluate injection in browser type/select commands and
  6 adapter files by using JSON.stringify for user input interpolation
- C2: Close WebSocket on CDP connect timeout to prevent resource leak
- C3: Reject CDP connect promise on Page.enable failure instead of
  silently swallowing the error

Reliability:
- C4: Guard against corrupted adapter-manifest.json hashes to prevent
  false-positive override deletion
- I1: Throw on pre-navigation failure instead of warn-and-continue
- I4: Use Map<string, Promise<void>> for lazy module loading to prevent
  concurrent double-imports of the same adapter

Performance:
- I6: Replace O(n) registry alias cleanup with O(k) direct deletion
@jackwener
fix: address self-review findings on PR #981
7f58a18 
- C1: add quotes around CSS selector attribute values in browser
  type/select to match other commands (get text/value/attributes)
- C2: clear this._ws in timeout handler to prevent race with open event
- C4: refine corruption guard — treat null/undefined hashes as empty,
  only skip sync for truly invalid types (string, number, array)
@jackwener jackwener merged commit ffb61c5 into main Apr 13, 2026
13 checks passed
@jackwener jackwener deleted the fix/code-audit-issues branch April 13, 2026 01:24
@jackwener jackwener mentioned this pull request Apr 13, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jackwener