Security: Fix critical vulnerabilities (includes fr4iser90 PR #38 + fix) #42

Merged

ruvnet merged 7 commits from security/fix-critical-vulnerabilities into main 2026-03-01 10:44:00 +08:00

Conversation 0 Commits 7 Files Changed 10 +4089 -3526990

7 Commits

Author	SHA1	Message	Date
ruv	e320bc95f0	fix: Remove process.env reference from browser ES module ... process.env does not exist in vanilla browser ES modules (no bundler). Use window.location.protocol check only for WSS detection. Co-Authored-By: claude-flow <ruv@ruv.net>	2026-02-28 21:42:42 -05:00
fr4iser	ab2e7b49ad	security: Fix GitHub Actions shell injection vulnerability ... - Use environment variables instead of direct interpolation - Prevent shell injection through github context data - Follow GitHub security best practices	2026-02-28 20:40:25 +01:00
fr4iser	ac094d4a97	security: Fix insecure WebSocket connections ... - Use wss:// in production and non-localhost environments - Only allow ws:// for localhost development - Improve WebSocket security configuration	2026-02-28 20:40:19 +01:00
fr4iser	896c4fc520	security: Fix path traversal vulnerabilities ... - Add filename validation to prevent path traversal - Validate resolved paths are within expected directories - Check for dangerous path characters (.., /, \)	2026-02-28 20:40:13 +01:00
fr4iser	4cb01fd482	security: Fix command injection vulnerability in statusline.cjs ... - Add input validation for command parameter - Check for dangerous shell metacharacters - Allow only safe command patterns	2026-02-28 20:40:05 +01:00
fr4iser	5db55fdd70	security: Fix XSS vulnerabilities in UI components ... - Replace innerHTML with textContent and createElement - Use safe DOM manipulation methods - Prevents XSS attacks through user-controlled data	2026-02-28 20:40:00 +01:00
fr4iser	f9d125dfd8	security: Fix SQL injection vulnerabilities in status command and migrations ... - Add table name whitelist validation in status.py - Use SQLAlchemy ORM instead of raw SQL queries - Replace string formatting with parameterized queries in migrations - Add input validation for table names in migration scripts	2026-02-28 20:39:54 +01:00