Skip to content

fix: community security wave — 8 PRs, 4 contributors (v0.15.13.0)#847

Merged
garrytan merged 13 commits intomainfrom
garrytan/security-wave-5
Apr 6, 2026
Merged

fix: community security wave — 8 PRs, 4 contributors (v0.15.13.0)#847
garrytan merged 13 commits intomainfrom
garrytan/security-wave-5

Conversation

@garrytan
Copy link
Copy Markdown
Owner

@garrytan garrytan commented Apr 6, 2026

Summary

Community security wave: 8 PRs from 4 contributors, every fix credited as co-author.

Security fixes (@mr-k-man, @garagon):

  • IPv6 ULA prefix blocking (fc00::/7) with false-positive guard for hostnames
  • Cookie value redaction for tokens, API keys, JWTs in browse output
  • Per-tab cancel signaling (replaces broken global kill-file)
  • CSS injection guard (url(), expression(), @import, javascript:, data:) in 3 codepaths
  • Queue entry schema validation with path traversal checks
  • Session ID format validation prevents path traversal via crafted active.json
  • Viewport clamping (1-16384) and wait timeout clamping (1s-300s)
  • Cookie domain validation prevents cross-site cookie injection
  • DocumentFragment-based tab switching (XSS fix, replaces innerHTML round-trip)
  • pollInProgress reentrancy guard for chat polling
  • Annotated screenshot symlink resolution
  • Targeted getToken handler (replaces token-in-health-broadcast)
  • /health endpoint: removed currentUrl and currentMessage fields
  • SIGTERM/SIGKILL escalation in sidebar agent timeout
  • design/serve.ts: realpathSync upgrade prevents symlink bypass in /api/reload
  • Supabase migration 003: column-level GRANT restricts anon UPDATE scope
  • escapeRegExp for frame --url (ReDoS fix)
  • State load cookie filtering (reject localhost/.internal/metadata)
  • Queue file permissions (0o700/0o600)
  • Telemetry sync upsert error logging

Platform fixes (@pieterklue):

  • Windows: extraEnv now passes through to Windows launcher
  • Windows: about:blank replaced with inline HTML fallback
  • Headed mode: auth token returned without Origin header

Reliability (@mmporong):

  • Parent process watchdog: orphaned servers self-terminate within 15s

Docs (@0531Kim):

  • Uninstall instructions in README (script + manual removal)

Test Coverage

750+ lines of new security regression tests across 4 test files.

Pre-Landing Review

Eng review CLEARED (plan-stage). 3 issues found and resolved:

  • P0: 3 items incorrectly marked SKIP (fixed, all 3 security gaps closed)
  • P2: Dead global kill-file write removed
  • P3: DANGEROUS_CSS duplication accepted (extension can't share server imports)

Test plan

  • All browse tests pass (path-validation, url-validation, security-audit-r2, learnings-injection, commands, sidebar-ux, snapshot, serve)
  • 8 pre-existing host freshness failures (Kiro, OpenCode, Slate, Cursor, OpenClaw) — unrelated to security changes

🤖 Generated with Claude Code

garrytan and others added 11 commits April 5, 2026 11:44
@garrytan @garagon @claude
fix(bin): pass search params via env vars (RCE fix) (#819)
4bc4bfe 
Replace shell string interpolation with process.env in gstack-learnings-search
to prevent arbitrary code execution via crafted learnings entries. Also fixes
the CROSS_PROJECT interpolation that the original PR missed.

Adds 3 regression tests verifying no shell interpolation remains in the bun -e block.

Co-authored-by: garagon <garagon@users.noreply.github.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@garrytan @garagon @claude
fix(browse): add path validation to upload command (#821)
49d7841 
Add isPathWithin() and path traversal checks to the upload command,
blocking file exfiltration via crafted upload paths. Uses existing
SAFE_DIRECTORIES constant instead of a local copy. Adds 3 regression tests.

Co-authored-by: garagon <garagon@users.noreply.github.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@garrytan @garagon @claude
fix(browse): symlink resolution in meta-commands validateOutputPath (#…
fe6880b 
…820)

Add realpathSync to validateOutputPath in meta-commands.ts to catch
symlink-based directory escapes in screenshot, pdf, and responsive
commands. Resolves SAFE_DIRECTORIES through realpathSync to handle
macOS /tmp -> /private/tmp symlinks. Existing path validation tests
pass with the hardened implementation.

Co-authored-by: garagon <garagon@users.noreply.github.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@garrytan
Merge remote-tracking branch 'origin/main' into garrytan/security-wave-5
6778508
@garrytan @0531Kim @claude
docs: add uninstall instructions to README (#812)
58b0643 
Community PR #812 by @0531Kim. Adds two uninstall paths: the gstack-uninstall
script (handles everything) and manual removal steps for when the repo isn't
cloned. Includes CLAUDE.md cleanup note and Playwright cache guidance.

Co-Authored-By: 0531Kim <0531Kim@users.noreply.github.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@garrytan @pieterklue @claude
fix(browse): Windows launcher extraEnv + headed-mode token (#822)
a4a5784 
Community PR #822 by @pieterklue. Three fixes:
1. Windows launcher now merges extraEnv into spawned server env (was
   only passing BROWSE_STATE_FILE, dropping all other env vars)
2. Welcome page fallback serves inline HTML instead of about:blank
   redirect (avoids ERR_UNSAFE_REDIRECT on Windows)
3. /health returns auth token in headed mode even without Origin header
   (fixes Playwright Chromium extensions that don't send it)

Also adds HOME/USERPROFILE fallback for cross-platform compatibility.

Co-Authored-By: pieterklue <pieterklue@users.noreply.github.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@garrytan @mmporong @claude
fix(browse): terminate orphan server when parent process exits (#808)
5bd05c9 
Community PR #808 by @mmporong. Passes BROWSE_PARENT_PID to the spawned
server process. The server polls every 15s with signal 0 and calls
shutdown() if the parent is gone. Prevents orphaned chrome-headless-shell
processes when Claude Code sessions exit abnormally.

Co-Authored-By: mmporong <mmporong@users.noreply.github.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@garrytan @mr-k-man @claude
fix(security): IPv6 ULA blocking, cookie redaction, per-tab cancel, t…
c151fab 
…argeted token (#664)

Community PR #664 by @mr-k-man (security audit round 1, new parts only).

- IPv6 ULA prefix blocking (fc00::/7) in url-validation.ts with false-positive
  guard for hostnames like fd.example.com
- Cookie value redaction for tokens, API keys, JWTs in browse cookies command
- Per-tab cancel files in killAgent() replacing broken global kill-signal
- design/serve.ts: realpathSync upgrade prevents symlink bypass in /api/reload
- extension: targeted getToken handler replaces token-in-health-broadcast
- Supabase migration 003: column-level GRANT restricts anon UPDATE scope
- Telemetry sync: upsert error logging
- 10 new tests for IPv6, cookie redaction, DNS rebinding, path traversal

Co-Authored-By: mr-k-man <mr-k-man@users.noreply.github.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@garrytan @mr-k-man @claude
fix(security): CSS injection guard, timeout clamping, session validat…
dfe946f 
…ion, tests (#806)

Community PR #806 by @mr-k-man (security audit round 2, new parts only).

- CSS value validation (DANGEROUS_CSS) in cdp-inspector, write-commands, extension inspector
- Queue file permissions (0o700/0o600) in cli, server, sidebar-agent
- escapeRegExp for frame --url ReDoS fix
- Responsive screenshot path validation with validateOutputPath
- State load cookie filtering (reject localhost/.internal/metadata cookies)
- Session ID format validation in loadSession
- /health endpoint: remove currentUrl and currentMessage fields
- QueueEntry interface + isValidQueueEntry validator for sidebar-agent
- SIGTERM->SIGKILL escalation in timeout handler
- Viewport dimension clamping (1-16384), wait timeout clamping (1s-300s)
- Cookie domain validation in cookie-import and cookie-import-browser
- DocumentFragment-based tab switching (XSS fix in sidepanel)
- pollInProgress reentrancy guard for pollChat
- toggleClass/injectCSS input validation in extension inspector
- Snapshot annotated path validation with realpathSync
- 714-line security-audit-r2.test.ts + 33-line learnings-injection.test.ts

Co-Authored-By: mr-k-man <mr-k-man@users.noreply.github.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@garrytan @claude
chore: bump version and changelog (v0.15.13.0)
cb0a827 
Community security wave: 8 PRs from 4 contributors (@garagon, @mr-k-man,
@mmporong, @0531Kim, @pieterklue). IPv6 ULA blocking, cookie redaction,
per-tab cancel signaling, CSS injection guards, timeout clamping, session
validation, DocumentFragment XSS fix, parent process watchdog, uninstall
docs, Windows fixes, and 750+ lines of security regression tests.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@garrytan
Merge remote-tracking branch 'origin/main' into garrytan/security-wave-5
9fd29e3 
# Conflicts:
#	CHANGELOG.md
#	VERSION
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 6, 2026
edited
Loading

E2E Evals: ❌ FAIL

9/10 tests passed | $1.47 total cost | 12 parallel runners

Suite Result Status Cost
e2e-browse 2/2 $0.13
e2e-deploy 2/2 $0.32
e2e-qa-workflow 1/1 $0.64
llm-judge 2/3 $0.06
e2e-deploy 2/2 $0.32

12x ubicloud-standard-2 (Docker: pre-baked toolchain + deps) | wall clock ≈ slowest suite

Failures

  • ❌ snapshot flags reference: unknown

@garrytan garrytan merged commit 03973c2 into main Apr 6, 2026
18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@garrytan