fix(security): remediate CodeQL alerts#572
Open
dongmucat wants to merge 2 commits into
Open
Conversation
Signed-off-by: dongmucat <1127093059@qq.com>
68e417f to
f4fec3f
Compare
Signed-off-by: dongmucat <1127093059@qq.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
概述
修复当前 9 个打开的 CodeQL code scanning alerts,并把旧 CLI loopback token 回调迁移到设备授权入口,避免浏览器端生成或重定向携带 token。
变更内容
SafeConstructor和LoaderOptions加固SKILL.mdfrontmatter 解析,并在 loose fallback 前拒绝显式 YAML tag。GET /api/v1/labels、GET /api/web/labels,并移除该 chain 上的 CSRF disable。/cli/authtoken redirect 页面,新增受登录保护的/device路由作为 CLI 设备授权入口。randomUUID。测试覆盖
!important文案兼容测试。cli-auth单测和 Playwright 覆盖。/device提交单测,覆盖用户码归一化、CSRF header、失败消息。namespace--slug--回归测试。质量门禁
make test-backend-appmake typecheck-webmake lint-webmake test-frontendcd cli && bun testcd web && pnpm exec playwright test e2e/cli-auth.spec.ts e2e/register-email-required.spec.tsmake test-e2e-smoke-frontendmake staginggit diff --check安全考虑
randomUUID,清理 CodeQL insecure randomness alerts。相关 Issue
测试说明
本地门禁全部通过;PR 后继续等待 GitHub checks 和
security.ymlCodeQL workflow。