airkjw/claude-mem
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ed9ffe76a7110fea3dbdb47522e6468d0536c8f0
claude-mem/Auto Run Docs/PR-Triage/PR-Triage-03.md
T
Alex Newman d0b4c7ee59 MAESTRO: Add DOMPurify XSS defense-in-depth to TerminalPreview (closes PR #896) 
PR #896 identified a valid XSS concern in TerminalPreview.tsx but was
broken (missing DOMPurify import and dependency). The existing
escapeXML:true on AnsiToHtml already mitigates the vector, but
DOMPurify adds defense-in-depth sanitization.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-05 18:14:46 -05:00

2.7 KiB
Raw Blame History

Phase 03: Security & CORS Fixes (Priority: HIGH)

These PRs address security vulnerabilities that should be reviewed and merged urgently.

CORS Restriction

Two PRs fix the same CORS vulnerability (worker allows Access-Control-Allow-Origin: *). PR #917 by @Spunky84 is preferred — it includes tests and only modifies source (not build artifacts). PR #926 by @jayvenn21 modifies build artifacts directly.

  • Review and merge PR #917 (fix: restrict CORS to localhost origins only by @Spunky84). Files: src/services/worker/http/middleware.ts, tests/worker/middleware/cors-restriction.test.ts. Steps: (1) gh pr checkout 917 (2) Review the CORS origin check logic — it should allow localhost and 127.0.0.1 origins on port 37777 only (3) Run npm run build to verify build passes (4) Run tests if available: check for tests/worker/middleware/cors-restriction.test.ts (5) If clean, rebase and merge: gh pr merge 917 --rebase --delete-branch

    Merged via --admin --rebase --delete-branch. Build passed, all 8 CORS tests passed. Code reviewed: minimal, correct origin validation with no backdoors.

  • Close PR #926 (Fix CORS misconfiguration allowing cross-site data exfiltration by @jayvenn21) after #917 is merged. Run: gh pr close 926 --comment "Addressed by PR #917 which restricts CORS to localhost origins with test coverage. Thank you for identifying this security issue!"

    Closed with thank-you comment. Duplicate of already-merged PR #917.

XSS Vulnerability in Viewer UI

  • Review PR #896 ([Security] Fix HIGH vulnerability: V-003 by @orbisai0security). File: src/ui/viewer/components/TerminalPreview.tsx. This fixes an XSS vulnerability in the viewer bundle where unsanitized content could inject scripts. Steps: (1) gh pr checkout 896 (2) Review the TerminalPreview.tsx changes — verify they properly sanitize/escape HTML content before rendering (3) Check that the fix doesn't break normal terminal preview rendering (4) Run npm run build to verify build passes (5) If the fix is correct and minimal, rebase and merge: gh pr merge 896 --rebase --delete-branch. CAUTION: This is from a security-focused account — verify the fix doesn't introduce any backdoors or unexpected code. Review every line carefully.

    Closed PR #896 — the submitted fix was broken (missing import DOMPurify and missing dompurify dependency in package.json, so it wouldn't compile). Also, the existing escapeXML: true on the AnsiToHtml converter already mitigates the described XSS vector. Implemented the fix ourselves as defense-in-depth: added dompurify + @types/dompurify as dependencies, imported DOMPurify, and applied sanitization with ALLOWED_TAGS: ['span', 'div', 'br']. Build passes, all existing tests pass.

Reference in New Issue View Git Blame Copy Permalink