dearsky/wifi-densepose
1
0
Fork 0
Code Issues 20 Pull Requests 5 Actions Packages Projects Releases 1 Wiki Activity

Security: Fix critical vulnerabilities (includes fr4iser90 PR #38 + fix) #42

Merged
ruvnet merged 7 commits from security/fix-critical-vulnerabilities into main 2026-03-01 10:44:00 +08:00
Conversation 0 Commits 7 Files Changed 10 +4089 -3526990
ruvnet commented 2026-03-01 10:43:49 +08:00 (Migrated from github.com)
Copy Link

Summary

Includes all 6 security commits from @fr4iser90 (PR #38) plus 1 fix for a browser compatibility issue.

From @fr4iser90 (PR #38):

  • SQL Injection — Whitelist validation + ORM queries in status.py and migrations
  • XSSinnerHTML replaced with textContent/createElement in DashboardTab, HardwareTab, PoseDetectionCanvas
  • Command Injection — Input validation in statusline.cjs
  • Path Traversal — Path validation in intelligence.cjs and metrics-db.mjs
  • Insecure WebSocket — WSS in production environments
  • GitHub Actions Shell Injection — Environment variables instead of direct interpolation in cd.yml

Additional fix:

  • process.env.NODE_ENV removedprocess.env does not exist in vanilla browser ES modules (no bundler). Replaced with window.location.protocol check only.

Closes #38

Test plan

  • UI loads without ReferenceError: process is not defined
  • WebSocket connects with ws:// on localhost
  • Python syntax valid in status.py and 001_initial.py
  • Statusline hook produces output (safeExec not blocked)

🤖 Generated with claude-flow

## Summary Includes all 6 security commits from @fr4iser90 (PR #38) plus 1 fix for a browser compatibility issue. ### From @fr4iser90 (PR #38): - **SQL Injection** — Whitelist validation + ORM queries in `status.py` and migrations - **XSS** — `innerHTML` replaced with `textContent`/`createElement` in DashboardTab, HardwareTab, PoseDetectionCanvas - **Command Injection** — Input validation in `statusline.cjs` - **Path Traversal** — Path validation in `intelligence.cjs` and `metrics-db.mjs` - **Insecure WebSocket** — WSS in production environments - **GitHub Actions Shell Injection** — Environment variables instead of direct interpolation in `cd.yml` ### Additional fix: - **`process.env.NODE_ENV` removed** — `process.env` does not exist in vanilla browser ES modules (no bundler). Replaced with `window.location.protocol` check only. Closes #38 ## Test plan - [ ] UI loads without `ReferenceError: process is not defined` - [ ] WebSocket connects with `ws://` on localhost - [ ] Python syntax valid in `status.py` and `001_initial.py` - [ ] Statusline hook produces output (safeExec not blocked) 🤖 Generated with [claude-flow](https://github.com/ruvnet/claude-flow)
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
bug
Something isn't working
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 enhancement
New feature or request
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 invalid
This doesn't seem right
 question
Further information is requested
 security
Security-related issues and hardening
 wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
dearsky
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: dearsky/wifi-densepose#42
Delete Branch "security/fix-critical-vulnerabilities"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?