Skip to content

security: fix 6 critical/high vulnerabilities (ADR-068)#1436

Open
ruvnet wants to merge 2 commits intomainfrom
security/review-march-25
Open

security: fix 6 critical/high vulnerabilities (ADR-068)#1436
ruvnet wants to merge 2 commits intomainfrom
security/review-march-25

Conversation

@ruvnet
Copy link
Copy Markdown
Owner

@ruvnet ruvnet commented Mar 25, 2026

Summary

Comprehensive security audit of v3.5.43 codebase identified 30 vulnerabilities across CLI, plugins, and memory packages. This PR fixes the 6 most critical/high issues with minimal, focused changes.

Fixes Applied

# Severity Fix File
1 CRITICAL Replace Math.random() UUID with crypto.randomUUID() QESecurityBridge.ts
2 HIGH Replace weak 32-bit hash with SHA-256 for HIPAA audit healthcare mcp-tools.ts
3 HIGH Add path traversal prevention in WASM loader prime-radiant wasm-bridge.ts
4 CRITICAL Add try-catch for JSON.parse in database provider database-provider.ts
5 HIGH Atomic file write (tmp+rename) in persistence database-provider.ts
6 HIGH safeParse helper for JSON.parse in 3 backends sqlite/sqljs/agentdb-backend.ts

Full Audit (ADR-068)

  • 30 total findings: 5 critical, 11 high, 10 medium, 4 low
  • 6 fixed in this PR, remaining tracked in ADR-068
  • Security strengths noted: SQL parameterization, SafeExecutor, PathValidator, bcrypt, crypto.randomBytes

Test plan

  • CLI build passes (tsc)
  • Healthcare plugin tests still pass
  • Memory backend tests still pass
  • No regressions in existing functionality

🤖 Generated with claude-flow

ruvnet added 2 commits March 25, 2026 19:40
@ruvnet
security: fix 6 critical/high vulnerabilities from security audit
2fbc913 
- Replace Math.random() UUID with crypto.randomUUID() (QESecurityBridge)
- Replace weak 32-bit hash with SHA-256 for HIPAA audit logging
- Add path traversal prevention in WASM loader
- Add try-catch + atomic write in database-provider persistence
- Add safeParse helper for JSON.parse in sqlite/sqljs/agentdb backends
- Document default-allow RBAC as explicit design decision
- Add ADR-068 documenting all 30 findings from security review

Co-Authored-By: claude-flow <ruv@ruv.net>
@ruvnet
docs: add ADR-069 stub implementation roadmap for 22 CLI commands
718a14f 
3-phase plan to implement config, deployment, migrate, claims,
and providers commands that were converted from fake stubs to
honest errors in v3.5.43.

Co-Authored-By: claude-flow <ruv@ruv.net>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ruvnet