Skip to content

Fix CodeQL code-scanning alerts#96

Merged
osswald merged 2 commits into
mainfrom
fix/codeql-alerts
Jul 3, 2026
Merged

Fix CodeQL code-scanning alerts#96
osswald merged 2 commits into
mainfrom
fix/codeql-alerts

Conversation

@osswald

@osswald osswald commented Jul 3, 2026

Copy link
Copy Markdown
Owner

Summary

  • Harden hosted Pi manager against path traversal by validating slugs (^[a-f0-9]{12}$) and resolving paths under fixed roots
  • Replace Math.random() UUID fallbacks in cloud frontend with a shared newUuid() util using crypto.randomUUID / crypto.getRandomValues
  • Add explicit permissions: contents: read to pr-gate.yml
  • Document intentional clear-text credential file writes with CodeQL suppression comments (Pi edge.env and hosted Pi compose files)
  • Add hosted-pi-manager pytest suite and CI job

Test plan

  • cloud/hosted-pi-manager pytest (11 tests)
  • cloud/frontend vitest (191 tests)
  • ./scripts/lint.sh
  • CodeQL re-scan closes all 16 open alerts after merge

Made with Cursor

Harden hosted Pi slug handling, replace Math.random UUID fallbacks with crypto-safe generation, add workflow permissions, and document intentional credential file writes.

Co-authored-by: Cursor <cursoragent@cursor.com>
@osswald osswald added the release:patch Patch release on merge (fixes) label Jul 3, 2026
@osswald osswald merged commit 44a257e into main Jul 3, 2026
23 checks passed
@osswald osswald deleted the fix/codeql-alerts branch July 3, 2026 14:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

release:patch Patch release on merge (fixes)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant