fix: address critical security vulnerabilities across the extension#676
Open
devin-ai-integration[bot] wants to merge 1 commit into
Open
fix: address critical security vulnerabilities across the extension#676devin-ai-integration[bot] wants to merge 1 commit into
devin-ai-integration[bot] wants to merge 1 commit into
Conversation
- Remove hardcoded OAuth CLIENT_SECRET from oauth2.js and authorize.js - Add CSRF protection via state parameter in OAuth flow - Sanitize HTML output to prevent XSS in welcome.js and popup.js - Fix dead branch in background.js (isSuccess was duplicated, never reached error path) - Remove token/username storage from window.localStorage (use chrome.storage.local only) - Fix assignment-instead-of-comparison bug in leetcode.js startUploadCountDown - Add repository name input validation (alphanumeric, hyphens, dots, underscores) - Upgrade http:// links to https:// Co-Authored-By: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Author
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Security audit and fixes for the most critical issues in the LeetHub Chrome extension.
Changes
Hardcoded OAuth secret removed —
CLIENT_IDandCLIENT_SECRETwere plaintext inoauth2.jsandauthorize.js. Replaced withtypeof LEETHUB_CLIENT_ID !== 'undefined' ? LEETHUB_CLIENT_ID : 'SET_YOUR_CLIENT_ID'pattern so credentials can be injected at build time.CSRF protection added to OAuth flow —
oAuth2.begin()now generates a randomstateparam viacrypto.getRandomValues(), stores it inchrome.storage.local, andlocalAuth.parseAccessCode()validates the returnedstatematches before exchanging the code for a token.XSS in
welcome.jsandpopup.js— User-controlled values (name,res.html_url,leethubHook) were interpolated directly into.html()calls. AddedescapeHtml()helper usingtextContent→innerHTMLroundtrip, and switchedpopup.jsto DOM construction (document.createElement) with.textContentassignment.Dead branch in
background.js— Theelse ifhadrequest.isSuccess === true(identical to theif), making the error-handling path unreachable. Fixed torequest.isSuccess === false.Token leaked to
window.localStorage—background.jswas writingrequest.tokenandrequest.usernametowindow.localStoragein addition tochrome.storage.local. Removed thelocalStoragewrites;chrome.storage.localis sufficient and more secure.Assignment bug in
leetcode.js:709—if ((uploadState.uploading = true))always evaluated truthy (assignment, not comparison). Fixed touploadState.uploading === true.Input validation — Added
isValidRepoName()(/^[a-zA-Z0-9._-]+$/, max 100 chars) before repo creation/linking.Minor —
http://leetcode.com→https://leetcode.com, fixed missing=inredirect_uriquery param, addedencodeURIComponenton redirect URL.Remaining issues (not fixed in this PR)
manifest_version: 2) is deprecatedgfg.jsinjects<script>elements into the page DOM to read the ACE editorcontent_security_policyinmanifest.jsonallows external CDN scriptsLink to Devin session: https://app.devin.ai/sessions/db088612120048d6bf7e9dab5b5d3e0b
Requested by: @QasimWani