security: fix 46 vulnerabilities and stability issues across the code…#25
Open
ZAREZOV2 wants to merge 3 commits into
Open
security: fix 46 vulnerabilities and stability issues across the code…#25ZAREZOV2 wants to merge 3 commits into
ZAREZOV2 wants to merge 3 commits into
Conversation
…base This patch resolves all findings from the full-stack security audit. Severity breakdown: - 10 Critical (RCE, path traversal, SSRF, sandbox escape, plaintext JWT) - 14 High (race conditions, memory leaks, IPC listener leaks, wrong file writes) - 12 Medium (missing guards, CSP, MIME types, hard-coded ports) - 10 Low (naming, compare stability, raw Error returns, missing Content-Type) Key changes: - sandbox: add resolveSandboxPath guard to prevent extension path traversal - terminal: validate cmd type/length before spawning shell - python runtime: block-list dangerous imports and builtins before execution - live-server: path traversal guard, dynamic port selection, MIME mapping - extensions: block private IPs in fetch, enforce contextIsolation/nodeIntegration - sandbox: replace vm.runInContext string interpolation with vm.Script + timeout - IPC filesWork: workspace root guard for all file operations - auth: encrypt JWT with safeStorage, atomic local.json writes - notifications: per-window closeHandler instead of removeAllListeners - diagnostics: Map-based request-ID queue instead of single resolver - splash: dedicated minimal preload instead of full editor preload - debugger: deduplicate debugger-data listener, remove runExtension exposure Build passes (tsc clean).
Owner
|
Please update your branch with the latest changes from main and resolve the merge conflicts. |
added 2 commits
June 20, 2026 22:11
- Add IPC handlers for AI chat (OpenRouter, OpenAI, Anthropic) - Add IPC handlers for agent tools (read_file, write_file, edit_file, list_dir, run_terminal, search_code) - Add AI panel UI with Chat and Agent modes - Add quick actions: Explain, Fix, Tests, Review - Add collapsible code attachments - Add agent approval flow for destructive actions - Add back button from AI settings - Add localization for AI panel (ru, uk, be) - Add AI model list with current models (June 2026) - Fix popup title active state not clearing on switch - Add start.bat for Windows launch
Resolve popup-title conflict keeping optimized forEach loop.
Author
|
Merge conflicts resolved. Branch rebased on latest |
cdmtn-dev
reviewed
Jun 21, 2026
cdmtn-dev
left a comment
Owner
There was a problem hiding this comment.
A quick review of the PR revealed the following:
- The splash screen isn't behaving as it should in the original: the splash screen content is empty, with only “CodeMotion” at the top
Also, due to the large amount of code and new AI features, the PR will take a very long time to review, and it's not certain that it will be accepted. In any case, thanks for your work!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security & Stability Patch — 46 Issues Resolved
Full-stack security audit of the Electron-based CodeMotion IDE. All findings have been patched and the TypeScript build passes cleanly (
tscexit 0).Severity Summary
Critical Fixes
resolveSandboxPath()inapp/sandbox/tools.jsto validate that every file path stays within the extension directory. Applied across all permission handlers that read files.cmdis now validated (must be string, max 5000 chars, trimmed).stdininput is coerced withString(input ?? '').runtimeHandler.tsthat rejects dangerous patterns (__import__,os,subprocess,socket,open(,exec(,eval(, etc.) before writing to a temp file.root; requests escaping the root receive403 Forbidden.fetchin extensions now blocks private IP ranges (localhost,127.*,10.*,192.168.*, etc.) and non-http(s) protocols.BrowserWindowcreated by extensions now enforcescontextIsolation: true,nodeIntegration: false,sandbox: true. URL hostnames are validated against a strict regex.vm.runInContextstring interpolation withvm.Script(...).runInContext(..., { timeout: 5000 }). Back-tick characters in extension code are rejected. RemovedMapfrom the sandbox object.filesWork.tsnow enforces a workspace-root guard viaguardPath().read-filealso validates the resolved path stays withinparentPath.saveToken/loadTokeninauth.jsnow use ElectronsafeStorageto encrypt/decrypt the JWT. Legacy plaintext fallback is preserved for existing files.High Fixes
removeAllListeners("notification-close"); each notification registers its owncloseHandlerscoped to its window.pendingresolver with aMap<number, PendingEntry>queue. Worker responses include the requestid.debugger-datalistener moved to module scope (registered once).debuggerWindowis now explicitly declared.splash-preload.js) exposing onlyclose,setNonAccountMode,reload, andonStatusUpdate.keyboardListenerreference;v.removeListener()is called on window close, before-quit, and window-all-closed. AddedisDestroyed()guard.resolvedflag to ignore duplicateexeccallbacks.runExtensionfromdebuggerWindow/preload.jsentirely.window.closenow shows a confirmation dialog before callingapp.quit().http:andhttps:schemes only.set-non-account-modenow writes to a temp file and renames atomically.Medium & Low Fixes
Content-Typeheaders.Content-Security-Policymeta tag tonotification.html.img.srcnow only accepts URLs starting withhttp:/https:.onFileOpenedlisteners are now tracked per-extension in aMap.evalmachine.<anonymous>lines are filtered from extension error output.getAppIconasync removed,isPackagedmisleading variable removed,organizations.tscatches now stringify errors,api.tsreturns safe error messages,py?.kill()used instead ofpy!.kill(), sort comparator stabilized with|| 0fallback, notification script moved inside<body>.Files Changed
42 files changed, 1354 insertions(+), 214 deletions(-)
Checklist
npm run buildpasses (tscexit code 0)