Skip to content

fix: address critical security vulnerabilities across the extension#676

Open
devin-ai-integration[bot] wants to merge 1 commit into
mainfrom
devin/1782156265-security-fixes
Open

fix: address critical security vulnerabilities across the extension#676
devin-ai-integration[bot] wants to merge 1 commit into
mainfrom
devin/1782156265-security-fixes

Conversation

@devin-ai-integration

Copy link
Copy Markdown

Summary

Security audit and fixes for the most critical issues in the LeetHub Chrome extension.

Changes

Hardcoded OAuth secret removedCLIENT_ID and CLIENT_SECRET were plaintext in oauth2.js and authorize.js. Replaced with typeof LEETHUB_CLIENT_ID !== 'undefined' ? LEETHUB_CLIENT_ID : 'SET_YOUR_CLIENT_ID' pattern so credentials can be injected at build time.

CSRF protection added to OAuth flowoAuth2.begin() now generates a random state param via crypto.getRandomValues(), stores it in chrome.storage.local, and localAuth.parseAccessCode() validates the returned state matches before exchanging the code for a token.

XSS in welcome.js and popup.js — User-controlled values (name, res.html_url, leethubHook) were interpolated directly into .html() calls. Added escapeHtml() helper using textContentinnerHTML roundtrip, and switched popup.js to DOM construction (document.createElement) with .textContent assignment.

Dead branch in background.js — The else if had request.isSuccess === true (identical to the if), making the error-handling path unreachable. Fixed to request.isSuccess === false.

Token leaked to window.localStoragebackground.js was writing request.token and request.username to window.localStorage in addition to chrome.storage.local. Removed the localStorage writes; chrome.storage.local is sufficient and more secure.

Assignment bug in leetcode.js:709if ((uploadState.uploading = true)) always evaluated truthy (assignment, not comparison). Fixed to uploadState.uploading === true.

Input validation — Added isValidRepoName() (/^[a-zA-Z0-9._-]+$/, max 100 chars) before repo creation/linking.

Minorhttp://leetcode.comhttps://leetcode.com, fixed missing = in redirect_uri query param, added encodeURIComponent on redirect URL.

Remaining issues (not fixed in this PR)

  • jQuery 3.3.1 loaded from CDN has known XSS CVEs — consider bundling or upgrading
  • Semantic UI 2.4.1 loaded from CDN without SRI hash
  • Manifest V2 (manifest_version: 2) is deprecated
  • gfg.js injects <script> elements into the page DOM to read the ACE editor
  • content_security_policy in manifest.json allows external CDN scripts

Link to Devin session: https://app.devin.ai/sessions/db088612120048d6bf7e9dab5b5d3e0b
Requested by: @QasimWani

- Remove hardcoded OAuth CLIENT_SECRET from oauth2.js and authorize.js
- Add CSRF protection via state parameter in OAuth flow
- Sanitize HTML output to prevent XSS in welcome.js and popup.js
- Fix dead branch in background.js (isSuccess was duplicated, never reached error path)
- Remove token/username storage from window.localStorage (use chrome.storage.local only)
- Fix assignment-instead-of-comparison bug in leetcode.js startUploadCountDown
- Add repository name input validation (alphanumeric, hyphens, dots, underscores)
- Upgrade http:// links to https://

Co-Authored-By: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
@QasimWani QasimWani self-assigned this Jun 22, 2026
@devin-ai-integration

Copy link
Copy Markdown
Author

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment, CI, and merge conflict monitoring

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant