fix(495): CI lint + CodeQL XSS follow-ups

kovtcharov · claude · kovtcharov · commit e64790900fae · 2026-04-17T16:11:20.000-07:00
- tests: black-format test_file_write_guardrails.py + test_security_edge_cases.py
  (previous commit reordered mocks in a way black wanted normalized).
- chat-ui.js: route 'error' / 'system' messages through textContent instead of
  sanitizeHTML + innerHTML. Closes xss-through-exception / xss-through-dom
  alerts on addMessage — markdown rendering on an error banner is pure risk.
- renderer.js: replace two innerHTML template interpolations (AI response,
  error fallback) with DOM-based construction via an appendAiMessage helper.
  Matches the innerHTML-removal pattern the PR already applied elsewhere.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/gaia/apps/jira/webui/public/js/modules/chat-ui.js b/src/gaia/apps/jira/webui/public/js/modules/chat-ui.js
@@ -19,9 +19,21 @@ export class ChatUI {
         const contentEl = document.createElement('div');
         contentEl.className = 'message-content';
 
-        // Handle different content types
+        // Handle different content types.
+        //
+        // For 'error' / 'system' messages we MUST NOT pass through
+        // formatMessage + sanitizeHTML: those flows include arbitrary
+        // exception strings (`Error: ${error.message}`) which CodeQL
+        // correctly flags as xss-through-exception / xss-through-dom
+        // sinks. Even though sanitizeHTML strips <script>, forcing these
+        // system-facing messages through textContent is the categorically
+        // safe option — we don't need markdown in an error banner.
         if (typeof content === 'string') {
-            contentEl.innerHTML = this.sanitizeHTML(this.formatMessage(content));
+            if (type === 'error' || type === 'system') {
+                contentEl.textContent = content;
+            } else {
+                contentEl.innerHTML = this.sanitizeHTML(this.formatMessage(content));
+            }
         } else if (content instanceof HTMLElement) {
             contentEl.appendChild(content);
         } else {
diff --git a/src/gaia/apps/jira/webui/public/renderer.js b/src/gaia/apps/jira/webui/public/renderer.js
@@ -384,14 +384,27 @@ class JaxWebUIRenderer {
     chatInput.value = '';
     chatMessages.scrollTop = chatMessages.scrollHeight;
 
+    // Helper to build an AI message bubble via DOM APIs so we never
+    // interpolate untrusted data into innerHTML. Closes the CodeQL
+    // xss-through-dom / xss-through-exception alerts on this file.
+    const appendAiMessage = (bodyText, { idAttr = null, extraClass = '' } = {}) => {
+      const wrap = document.createElement('div');
+      wrap.className = `chat-message ai-message${extraClass ? ' ' + extraClass : ''}`;
+      if (idAttr) wrap.id = idAttr;
+      const avatar = document.createElement('div');
+      avatar.className = 'message-avatar';
+      avatar.textContent = '\uD83E\uDD16';
+      const body = document.createElement('div');
+      body.className = 'message-content';
+      body.textContent = bodyText;
+      wrap.appendChild(avatar);
+      wrap.appendChild(body);
+      chatMessages.appendChild(wrap);
+      return wrap;
+    };
+
     // Show typing indicator
-    const typingIndicator = `
-      <div class="chat-message ai-message typing" id="typing-indicator">
-        <div class="message-avatar">🤖</div>
-        <div class="message-content">Thinking...</div>
-      </div>
-    `;
-    chatMessages.innerHTML += typingIndicator;
+    appendAiMessage('Thinking...', { idAttr: 'typing-indicator', extraClass: 'typing' });
     chatMessages.scrollTop = chatMessages.scrollHeight;
 
     try {
@@ -406,25 +419,14 @@ class JaxWebUIRenderer {
 
       // Add AI response
       const aiResponse = response.result?.response || 'I encountered an error processing your request.';
-      chatMessages.innerHTML += `
-        <div class="chat-message ai-message">
-          <div class="message-avatar">🤖</div>
-          <div class="message-content">${aiResponse}</div>
-        </div>
-      `;
-
+      appendAiMessage(aiResponse);
       chatMessages.scrollTop = chatMessages.scrollHeight;
     } catch (error) {
       // Remove typing indicator
       const indicator = document.getElementById('typing-indicator');
       if (indicator) indicator.remove();
 
-      chatMessages.innerHTML += `
-        <div class="chat-message ai-message">
-          <div class="message-avatar">🤖</div>
-          <div class="message-content">Error: ${error.message}</div>
-        </div>
-      `;
+      appendAiMessage(`Error: ${error && error.message ? error.message : String(error)}`);
       chatMessages.scrollTop = chatMessages.scrollHeight;
     }
   }
diff --git a/tests/unit/test_file_write_guardrails.py b/tests/unit/test_file_write_guardrails.py
@@ -1127,26 +1127,29 @@ def test_prompt_user_for_access_yes(self, validator, tmp_path):
         outside = tmp_path.parent / "outside_test_prompt.txt"
         # Force interactive mode so the non-TTY guard added in #495 doesn't
         # short-circuit the input() prompt.
-        with patch("gaia.security._is_interactive", return_value=True), patch(
-            "builtins.input", return_value="y"
+        with (
+            patch("gaia.security._is_interactive", return_value=True),
+            patch("builtins.input", return_value="y"),
         ):
             result = validator._prompt_user_for_access(Path(outside))
         assert result is True
 
     def test_prompt_user_for_access_no(self, validator, tmp_path):
         """Verify _prompt_user_for_access with 'n' denies access."""
         outside = tmp_path.parent / "outside_denied.txt"
-        with patch("gaia.security._is_interactive", return_value=True), patch(
-            "builtins.input", return_value="n"
+        with (
+            patch("gaia.security._is_interactive", return_value=True),
+            patch("builtins.input", return_value="n"),
         ):
             result = validator._prompt_user_for_access(Path(outside))
         assert result is False
 
     def test_prompt_user_for_access_always(self, validator, tmp_path):
         """Verify _prompt_user_for_access with 'a' grants and persists access."""
         outside = tmp_path.parent / "outside_always.txt"
-        with patch("gaia.security._is_interactive", return_value=True), patch(
-            "builtins.input", return_value="a"
+        with (
+            patch("gaia.security._is_interactive", return_value=True),
+            patch("builtins.input", return_value="a"),
         ):
             with patch.object(validator, "_save_persisted_path") as mock_save:
                 result = validator._prompt_user_for_access(Path(outside))
@@ -1156,9 +1159,10 @@ def test_prompt_user_for_access_always(self, validator, tmp_path):
     def test_prompt_user_for_access_non_interactive_denies(self, validator, tmp_path):
         """Non-TTY contexts auto-deny without ever calling input()."""
         outside = tmp_path.parent / "outside_non_tty.txt"
-        with patch("gaia.security._is_interactive", return_value=False), patch(
-            "builtins.input"
-        ) as mock_input:
+        with (
+            patch("gaia.security._is_interactive", return_value=False),
+            patch("builtins.input") as mock_input,
+        ):
             result = validator._prompt_user_for_access(Path(outside))
         assert result is False
         mock_input.assert_not_called()
@@ -1167,8 +1171,9 @@ def test_prompt_overwrite_yes(self, validator, tmp_path):
         """Verify _prompt_overwrite with 'y' returns True."""
         existing = tmp_path / "overwrite_prompt.txt"
         existing.write_text("data")
-        with patch("gaia.security._is_interactive", return_value=True), patch(
-            "builtins.input", return_value="y"
+        with (
+            patch("gaia.security._is_interactive", return_value=True),
+            patch("builtins.input", return_value="y"),
         ):
             result = validator._prompt_overwrite(existing, existing.stat().st_size)
         assert result is True
@@ -1177,8 +1182,9 @@ def test_prompt_overwrite_no(self, validator, tmp_path):
         """Verify _prompt_overwrite with 'n' returns False."""
         existing = tmp_path / "overwrite_no.txt"
         existing.write_text("data")
-        with patch("gaia.security._is_interactive", return_value=True), patch(
-            "builtins.input", return_value="n"
+        with (
+            patch("gaia.security._is_interactive", return_value=True),
+            patch("builtins.input", return_value="n"),
         ):
             result = validator._prompt_overwrite(existing, existing.stat().st_size)
         assert result is False
@@ -1187,9 +1193,10 @@ def test_prompt_overwrite_non_interactive_approves(self, validator, tmp_path):
         """Non-TTY contexts auto-approve overwrite (relies on backup)."""
         existing = tmp_path / "overwrite_non_tty.txt"
         existing.write_text("data")
-        with patch("gaia.security._is_interactive", return_value=False), patch(
-            "builtins.input"
-        ) as mock_input:
+        with (
+            patch("gaia.security._is_interactive", return_value=False),
+            patch("builtins.input") as mock_input,
+        ):
             result = validator._prompt_overwrite(existing, existing.stat().st_size)
         assert result is True
         mock_input.assert_not_called()
diff --git a/tests/unit/test_security_edge_cases.py b/tests/unit/test_security_edge_cases.py
@@ -209,8 +209,9 @@ def test_prompt_overwrite_yes(self, validator, tmp_path):
         target = tmp_path / "file.txt"
         target.write_text("data")
 
-        with patch("gaia.security._is_interactive", return_value=True), patch(
-            "builtins.input", return_value="y"
+        with (
+            patch("gaia.security._is_interactive", return_value=True),
+            patch("builtins.input", return_value="y"),
         ):
             result = validator._prompt_overwrite(target, 100)
 
@@ -221,8 +222,9 @@ def test_prompt_overwrite_no(self, validator, tmp_path):
         target = tmp_path / "file.txt"
         target.write_text("data")
 
-        with patch("gaia.security._is_interactive", return_value=True), patch(
-            "builtins.input", return_value="n"
+        with (
+            patch("gaia.security._is_interactive", return_value=True),
+            patch("builtins.input", return_value="n"),
         ):
             result = validator._prompt_overwrite(target, 100)
 
@@ -233,8 +235,9 @@ def test_prompt_overwrite_yes_full_word(self, validator, tmp_path):
         target = tmp_path / "file.txt"
         target.write_text("data")
 
-        with patch("gaia.security._is_interactive", return_value=True), patch(
-            "builtins.input", return_value="yes"
+        with (
+            patch("gaia.security._is_interactive", return_value=True),
+            patch("builtins.input", return_value="yes"),
         ):
             result = validator._prompt_overwrite(target, 100)
 
@@ -245,8 +248,9 @@ def test_prompt_overwrite_no_full_word(self, validator, tmp_path):
         target = tmp_path / "file.txt"
         target.write_text("data")
 
-        with patch("gaia.security._is_interactive", return_value=True), patch(
-            "builtins.input", return_value="no"
+        with (
+            patch("gaia.security._is_interactive", return_value=True),
+            patch("builtins.input", return_value="no"),
         ):
             result = validator._prompt_overwrite(target, 100)
 
@@ -258,8 +262,9 @@ def test_prompt_overwrite_invalid_then_yes(self, validator, tmp_path):
         target.write_text("data")
 
         # Simulate: "maybe" -> "xxx" -> "y"
-        with patch("gaia.security._is_interactive", return_value=True), patch(
-            "builtins.input", side_effect=["maybe", "xxx", "y"]
+        with (
+            patch("gaia.security._is_interactive", return_value=True),
+            patch("builtins.input", side_effect=["maybe", "xxx", "y"]),
         ):
             result = validator._prompt_overwrite(target, 200)
 
@@ -271,8 +276,9 @@ def test_prompt_overwrite_invalid_then_no(self, validator, tmp_path):
         target.write_text("data")
 
         # Simulate: "" -> "asdf" -> "n"
-        with patch("gaia.security._is_interactive", return_value=True), patch(
-            "builtins.input", side_effect=["", "asdf", "n"]
+        with (
+            patch("gaia.security._is_interactive", return_value=True),
+            patch("builtins.input", side_effect=["", "asdf", "n"]),
         ):
             result = validator._prompt_overwrite(target, 50)
 
@@ -291,8 +297,9 @@ def test_prompt_overwrite_prints_file_info(self, validator, tmp_path):
                 " ".join(str(x) for x in a)
             ),
         ):
-            with patch("gaia.security._is_interactive", return_value=True), patch(
-                "builtins.input", return_value="y"
+            with (
+                patch("gaia.security._is_interactive", return_value=True),
+                patch("builtins.input", return_value="y"),
             ):
                 validator._prompt_overwrite(target, 2048)
 
@@ -307,9 +314,10 @@ def test_prompt_overwrite_non_interactive_approves_with_backup(
         target = tmp_path / "file.txt"
         target.write_text("data")
 
-        with patch("gaia.security._is_interactive", return_value=False), patch(
-            "builtins.input"
-        ) as mock_input:
+        with (
+            patch("gaia.security._is_interactive", return_value=False),
+            patch("builtins.input") as mock_input,
+        ):
             result = validator._prompt_overwrite(target, 100)
 
         assert result is True
