Skip to content

fix: resolve all 6 CodeQL security and quality alerts#88

Merged
TommiLindfors merged 1 commit into
mainfrom
fix/codeql-security-alerts
Jun 7, 2026
Merged

fix: resolve all 6 CodeQL security and quality alerts#88
TommiLindfors merged 1 commit into
mainfrom
fix/codeql-security-alerts

Conversation

@TommiLindfors
Copy link
Copy Markdown
Contributor

@TommiLindfors TommiLindfors commented Jun 7, 2026

Resolves all 6 open CodeQL code scanning alerts.

Changes

evaluator.ts — Prototype pollution (alerts 5 & 6)

  • Use \Object.create(null)\ instead of {}\ in \�uildFactData\ to prevent prototype pollution when fact_type paths contain _proto_, \constructor, or \prototype\

check-anchors.ts — Bad tag filter + double escaping (alerts 1 & 4)

  • Allow whitespace before >\ in </script>\ / </style>\ closing tags (regex: </script\s*>)
  • Decode &amp;\ last in the entity decoding chain to prevent double-unescaping (&amp;lt;\ → &lt;\ → <)

validate.ts — Incomplete sanitization + double escaping (alerts 2 & 3)

  • Loop HTML comment stripping (<!-- -->) until stable, preventing crafted nested markers from surviving a single pass
  • Decode &amp;\ last (same fix as check-anchors)

Testing

All 142 tests pass. The one flaky test (\EPERM\ on
mSync\ in \�fterEach) is a pre-existing Dropbox file-locking issue unrelated to these changes.

github-advanced-security[bot]
github-advanced-security AI found potential problems Jun 7, 2026
View reviewed changes
Comment thread packages/cli/src/commands/check-anchors.ts Fixed
@TommiLindfors TommiLindfors enabled auto-merge (squash) June 7, 2026 06:18
@TommiLindfors
fix: resolve all 6 CodeQL security and quality alerts
5abe1c0 
- evaluator.ts: use Object.create(null) to prevent prototype pollution
  in buildFactData when fact_type paths contain __proto__ (alerts 5, 6)
- check-anchors.ts: allow whitespace in </script > closing tags and
  decode &amp; last to prevent double-unescaping (alerts 1, 4)
- validate.ts: loop HTML comment stripping until stable and decode
  &amp; last to prevent double-unescaping (alerts 2, 3)
@TommiLindfors TommiLindfors force-pushed the fix/codeql-security-alerts branch from 254caa1 to 5abe1c0 Compare June 7, 2026 06:22
@TommiLindfors TommiLindfors merged commit 52a9042 into main Jun 7, 2026
6 checks passed
@TommiLindfors TommiLindfors deleted the fix/codeql-security-alerts branch June 7, 2026 06:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@TommiLindfors @github-advanced-security