fix(frontend): security hardening for Electron, UI inputs, and store logic#1313
Open
eren-karakus0 wants to merge 2 commits intoeigent-ai:mainfrom
Open
fix(frontend): security hardening for Electron, UI inputs, and store logic#1313eren-karakus0 wants to merge 2 commits intoeigent-ai:mainfrom
eren-karakus0 wants to merge 2 commits intoeigent-ai:mainfrom
Conversation
…logic - Sanitize file paths in Electron fileReader to prevent path traversal - Harden Electron IPC handlers and auto-update signature verification - Add maxLength and input sanitization to UI input/textarea components - Fix division-by-zero in chatStore percentage calculation - Sanitize URLs in lib/index.ts to prevent XSS via javascript: protocol - Add tests for all changes
8 tasks
Contributor
|
thanks @eren-karakus0 for the contribution, could you link the issue this pr want to resolve? maybe @bytecii and @a7m-1st could help reviewing this |
Contributor
Author
|
Linked - closes #1330. Thanks for the reminder @Wendong-Fan! |
bytecii
reviewed
Feb 21, 2026
| } | ||
| }); | ||
|
|
||
| // ======================== skills ======================== |
Contributor
Author
There was a problem hiding this comment.
This was an accidental deletion. The skills section, unzipper import, and seedDefaultSkillsIfEmpty() call have all been restored. The only intended changes in index.ts are the 3 security fixes (OAuth token redaction, shell.showItemInFolder, log level downgrade). Fixed in latest push.
The previous commit unintentionally deleted the entire skills IPC handlers (~400 lines), the unzipper import, and the seedDefaultSkillsIfEmpty() call. This commit restores all removed code while keeping the 3 intended security fixes: - Redact OAuth token in logs - Replace shell.openPath with shell.showItemInFolder - Downgrade protocol code log from error to info
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Related Issue
Closes #1330
Split from #1299 as requested by @bytecii.
Summary
Security hardening for the frontend and Electron codebase.
Changes
Tests
fileReader.test.ts— new, covers path traversal preventionsecurityFixes.test.ts— new, covers URL sanitizationchatStore-divisionByZero.test.ts— new, covers division-by-zero edge caseFiles (10)
electron/main/fileReader.tselectron/main/index.tselectron/main/update.tssrc/components/ui/input.tsxsrc/components/ui/textarea.tsxsrc/lib/index.tssrc/store/chatStore.tstest/unit/electron/fileReader.test.tstest/unit/lib/securityFixes.test.tstest/unit/store/chatStore-divisionByZero.test.ts