Skip to content

fix: security vulnerabilities and add CI/testing infrastructure#39

Merged
johnwaldo merged 1 commit intomainfrom
fix/security-issues-and-ci
Feb 26, 2026
Merged

fix: security vulnerabilities and add CI/testing infrastructure#39
johnwaldo merged 1 commit intomainfrom
fix/security-issues-and-ci

Conversation

@johnwaldo
Copy link
Owner

@johnwaldo johnwaldo commented Feb 26, 2026

Summary

This PR addresses all open security and quality issues:

Security Fixes

  1. Security: Command injection risk in agent dispatch endpoint #18: Command injection risk in agent dispatch endpoint

    • Sanitize body.command to reject shell metacharacters (;&|\$(){}[]<>!#*?"'`)
    • Validate workDir against allowed directories (aidevopsDir, workspaceDir, gitDir, etc.)
    • Add maximum command length (2000 chars)

  2. Security: Localhost auth bypass via X-Forwarded-For spoofing #19: Localhost auth bypass via X-Forwarded-For spoofing

    • Add DASHBOARD_TRUST_PROXY config (default: false)
    • Only trust proxy headers (X-Forwarded-For, X-Real-IP) when explicitly enabled
    • This prevents remote attackers from spoofing 127.0.0.1 to bypass auth

  3. Security: CORS allows all origins (no production restriction) #20: CORS allows all origins in production

    • Add NODE_ENV / DASHBOARD_ENV detection
    • Restrict CORS to known origins in production
    • Add DASHBOARD_ALLOWED_ORIGINS config for whitelisting

Quality Improvements

  1. Add CI pipeline (lint, typecheck, build) #22: Add CI pipeline

    • Add GitHub Actions workflow (.github/workflows/ci.yml)
    • Runs: ESLint, TypeScript typecheck, Build
    • Add typecheck script to client

  2. Add test suite — zero test coverage currently #21: Add test suite

    • Add bun:test for server-side tests
    • Add security.test.ts with validation tests
    • Fix TypeScript errors in client components

Testing

  • ✅ Build passes (bun run build)
  • ✅ Typecheck passes (bun run typecheck)
  • ✅ Tests pass (bun test)
  • ✅ Lint has warnings but no blocking errors

Breaking Changes

  • DASHBOARD_TRUST_PROXY now defaults to false — ensure your setup works correctly
  • CORS more restrictive in production — add allowed origins via DASHBOARD_ALLOWED_ORIGINS

fix: security vulnerabilities and add CI/testing infrastructure
f3ab34d 
Security fixes:
- #18: Command injection risk in agent dispatch endpoint
  - Sanitize command to reject shell metacharacters
  - Validate workDir against allowed directories
  - Add maximum command length limit
- #19: Localhost auth bypass via X-Forwarded-For spoofing
  - Add DASHBOARD_TRUST_PROXY config (default: false)
  - Only trust proxy headers when explicitly enabled
- #20: CORS allows all origins in production
  - Add NODE_ENV/DASHBOARD_ENV detection
  - Restrict CORS to known origins in production
  - Add DASHBOARD_ALLOWED_ORIGINS config

Quality improvements:
- #22: Add CI pipeline (GitHub Actions)
  - Lint + typecheck + build workflow
- #21: Add test suite
  - Add bun:test for server-side tests
  - Add typecheck script to client
  - Fix TypeScript errors in client code
@johnwaldo johnwaldo merged commit 2d8bf2f into main Feb 26, 2026
2 of 3 checks passed
@johnwaldo johnwaldo deleted the fix/security-issues-and-ci branch February 26, 2026 13:44
@johnwaldo johnwaldo mentioned this pull request Feb 26, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@johnwaldo