hai/gstack
1
0
Fork 0
mirror of https://github.com/garrytan/gstack.git synced 2026-05-21 12:18:24 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): CSS injection guard, timeout clamping, session validation, tests (#806)

Browse Source 
Community PR #806 by @mr-k-man (security audit round 2, new parts only).

- CSS value validation (DANGEROUS_CSS) in cdp-inspector, write-commands, extension inspector
- Queue file permissions (0o700/0o600) in cli, server, sidebar-agent
- escapeRegExp for frame --url ReDoS fix
- Responsive screenshot path validation with validateOutputPath
- State load cookie filtering (reject localhost/.internal/metadata cookies)
- Session ID format validation in loadSession
- /health endpoint: remove currentUrl and currentMessage fields
- QueueEntry interface + isValidQueueEntry validator for sidebar-agent
- SIGTERM->SIGKILL escalation in timeout handler
- Viewport dimension clamping (1-16384), wait timeout clamping (1s-300s)
- Cookie domain validation in cookie-import and cookie-import-browser
- DocumentFragment-based tab switching (XSS fix in sidepanel)
- pollInProgress reentrancy guard for pollChat
- toggleClass/injectCSS input validation in extension inspector
- Snapshot annotated path validation with realpathSync
- 714-line security-audit-r2.test.ts + 33-line learnings-injection.test.ts

Co-Authored-By: mr-k-man <mr-k-man@users.noreply.github.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Garry Tan
2026-04-05 23:26:35 -07:00
parent c151fabfca
commit dfe946fe64
14 changed files with 967 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
browse/test/commands.test.ts
View File

@@ -1577,7 +1577,8 @@ describe('Cookie import', () => {
test('cookie-import preserves explicit domain', async () => {
await handleWriteCommand('goto', [baseUrl + '/basic.html'], bm);
const tempFile = '/tmp/browse-test-cookies-domain.json';
const cookies = [{ name: 'explicit', value: 'domain', domain: 'example.com', path: '/foo' }];
// Domain must match page hostname (127.0.0.1) — cross-domain cookies are now rejected
const cookies = [{ name: 'explicit', value: 'domain', domain: '127.0.0.1', path: '/foo' }];
fs.writeFileSync(tempFile, JSON.stringify(cookies));
const result = await handleWriteCommand('cookie-import', [tempFile], bm);
@@ -1837,7 +1838,7 @@ describe('Chain with cookie-import', () => {
await handleWriteCommand('goto', [baseUrl + '/basic.html'], bm);
const tmpCookies = '/tmp/test-chain-cookies.json';
fs.writeFileSync(tmpCookies, JSON.stringify([
{ name: 'chain_test', value: 'chain_value', domain: 'localhost', path: '/' }
{ name: 'chain_test', value: 'chain_value', domain: '127.0.0.1', path: '/' }
]));
try {
const commands = JSON.stringify([