Conversation
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Security fixes: - MED-6: Brain dump dialog: maxLength 25000, per-line truncation to 500 chars - LOW-4: Pre-import backup (.db.bak) before overwriting existing database - LOW-9: Gradle warns when key.properties missing (debug signing fallback) - LOW-10: firstWhere with orElse in deleteTask/completeTask/skipTask - LOW-12: URL text field maxLength 2048 - LOW-13: normalizeUrl validates host contains a dot (rejects garbage input) Bug fix (from PR #7 review comment): - Today's 5 "Done today" undo now passes restoreTo to preserve historical lastWorkedAt instead of erasing it to NULL Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 9a811ae2f0
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| return trimmed; | ||
| final normalized = trimmed.contains('://') ? trimmed : 'https://$trimmed'; | ||
| final uri = Uri.tryParse(normalized); | ||
| if (uri == null || !uri.host.contains('.')) return null; |
There was a problem hiding this comment.
normalizeUrl now returns null for malformed non-empty input (for example, "https://" or "hello world"), but showEditUrlDialog treats null as “remove URL” and calls onUpdateUrl(null) on save/submit (leaf_task_detail.dart), so a user editing an existing link can silently delete it just by entering an invalid URL instead of getting a validation error. This is a behavior regression introduced by the new host.contains('.') guard.
Useful? React with 👍 / 👎.
…g link normalizeUrl returning null for non-empty invalid input (e.g. "hello world") was treated as "remove URL". Now distinguishes empty input (intentional removal) from invalid input (shows error snackbar). Fixes Codex review comment on PR #8. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 participant
Summary
maxLength: 25000total, per-line truncation to 500 chars.db.bakbackup before overwriting existing databasekey.propertiesmissing (debug signing fallback)firstWherewithorElseindeleteTask/completeTask/skipTaskmaxLength: 2048normalizeUrlvalidates host contains a dot (rejects garbage input like "hello world")restoreToto preserve historicallastWorkedAtdocs/SECURITY_REVIEW.mdRound 2 findingsDeferred to v1.1: HIGH-1 (file_picker CVE), MED-5 (R8/ProGuard), LOW-11 (share_plus)
Test plan
flutter test)flutter build linux)🤖 Generated with Claude Code