Skip to content

fix(web): sanitizeHref hardening + API path-segment encoding#96

Merged
ajianaz merged 1 commit into
developfrom
fix/frontend-security
Jul 8, 2026
Merged

fix(web): sanitizeHref hardening + API path-segment encoding#96
ajianaz merged 1 commit into
developfrom
fix/frontend-security

Conversation

@ajianaz

@ajianaz ajianaz commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Summary

Addresses the valid security findings from cora scan in the frontend (web/).

Fixed

File Issue Fix
utils.ts sanitizeHref Backslash bypass — browsers normalize \/, so a relative-looking /\\evil.com resolved to protocol-relative //evil.com (off-site redirect) Reject any backslash outright
utils.ts sanitizeHref Tab/newline/CR smuggling — browsers strip them before parsing, so java\tscript: could slip a dangerous scheme past the check Strip [\t\n\r] before validating
api/client.ts Path traversal — slug/id/postId interpolated raw (/api/projects/${slug}), so .. could reach unintended routes (/api/projects/../auth/me) encodeURIComponent every path segment via a seg() helper

Bug fixes (same files)

  • board/[slug]/+page.svelte: initialized was referenced in onMount (line 84) before its declaration (line 179) — moved the declaration above onMount to remove the TDZ smell.
  • board/[slug]/+page.svelte: the v (vote) shortcut had convoluted/redundant auth logic — simplified to a single if (!authed) return; (matches the shortcut registry, where v is authRequired: true; Rungu has no anonymous voting).

Triaged as false positive

  • Cora flagged the vote-shortcut simplification as "may break voting for anonymous-allowed boards" — Rungu has no anonymous voting (toggle_vote requires CurrentUser backend-side, and v is registered authRequired: true). Not applicable.

Out of scope (separate concerns)

  • Perf: AttachmentGallery sequential uploads, CommentThread unbounded recursion, board search-debounce timer pattern
  • UX: admin client-side guard, login hard-nav, select-rollback on error

Checklist

  • npm run test (46 pass, +3 new sanitizeHref cases)
  • npm run check (svelte-check: 0 errors)
  • cora review (passed; 1 major = false positive, explained)

Security findings from cora scan (web/):

- utils.sanitizeHref: reject backslash (browser normalizes `\`→`/`,
  so `/\\evil.com` became protocol-relative `//evil.com` off-site
  redirect) and strip ASCII tab/newline/CR before checking (browser
  ignores them, allowing scheme smuggling like `java\tscript:`)
- api/client: encodeURIComponent every path segment (slug/id/postId/
  provider) to prevent path traversal via `..` reaching unintended
  routes (e.g. `/api/projects/../auth/me`)
- board/[slug]: move `initialized` declaration above onMount (TDZ
  smell — used at line 84, declared at 179); simplify 'v' vote
  shortcut to a single auth guard
- tests: sanitizeHref backslash + tab-smuggling cases
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown

🔍 Cora AI Code Review

⚠️ Review recommended — warnings found.

🟡 Warning (1)

  • unknown:? — Cora AI review could not complete: LLM API returned status 401: {"error":"Insufficient balance"}
    . Review was skipped; no code quality issues were found by the automated check.

Review powered by cora-cli · BYOK · MIT

@ajianaz ajianaz merged commit 6395c77 into develop Jul 8, 2026
12 checks passed
@ajianaz ajianaz deleted the fix/frontend-security branch July 8, 2026 18:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant