Security hardening + gist UI fixes (#731)

mirror of https://github.com/tdurieux/anonymous_github.git synced 2026-06-29 18:50:00 +02:00

* security: harden against XSS, ReDoS, path traversal, and injection

Defensive fixes across the server, storage, and viewer:

- XSS (CWE-79): sanitise rendered notebooks with DOMPurify, escape file
  names interpolated into AngularJS expressions (escapeNgString), set
  Mermaid securityLevel to 'strict', and stop urlRel2abs from returning
  javascript:/vbscript:/data:text/html URLs.
- Path traversal / zip-slip (CWE-22/23/24): validate URL-derived path
  components before they reach the storage layer (file/webview routes +
  StorageBase.assertSafePath) and sanitise zip entry names on extract for
  both the filesystem and S3 backends.
- ReDoS (CWE-1333): escape anonymization terms with catastrophic
  backtracking shapes to literals instead of compiling them as regexes.
- Secret hardening (CWE-798): require SESSION_SECRET / OAuth creds / DB
  password in production, random dev SESSION_SECRET fallback.
- Rate-limit spoofing (CWE-290): derive request.ip via trust-proxy hop
  count instead of the client-settable cf-connecting-ip header.
- NoSQL injection (CWE-943): allow only plain field paths as admin sort keys.
- Reject malformed streamer requests missing required string fields.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* fix(ui): make gists reachable/visible and clarify the ZIP button

- Gist & PR routes now accept a trailing slash (/gist/:id/:path*?), so the
  dashboard links (which end in "/") resolve to the gist/PR page instead of
  falling through to the 404 route (#725).
- Gist viewer picks the default tab after content loads, defaulting to
  "files" when files exist; previously the ng-init ran before the async
  load and a files-only gist rendered blank under the hidden comments tab.
- Explorer toolbar: relabel ZIP to "Full repo ZIP" with a tooltip, and add
  tooltips to Raw/Download clarifying they apply to the current file (#721).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* fix: report SAML-enforced orgs clearly instead of "token expired"

When a repo's organization enforces SAML SSO, GitHub returns a 403 whose
message differs from the OAuth-App-restriction case. That 403 fell through
to the generic handler and surfaced as "token_expired", pushing users to
re-login when the real fix is authorizing their token for the org. Detect
the "SAML enforcement" message and raise a dedicated, actionable error
instead (#379, #550).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* security: catch nested quantified groups in ReDoS guard and backslash path traversal

- hasCatastrophicBacktracking now scans across nested parens ([\s\S]*?)
  so shapes like ((a+))+ are detected; comment reframed as a heuristic
  backstop rather than a proof.
- file route path-traversal check now rejects backslash separators and a
  leading backslash, covering Windows-style "..\" payloads (CWE-22/25).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* chore(dev): track dev-proxy script, ignore .DS_Store and .claude/

scripts/dev-proxy.js is referenced by the "dev:ui" npm script but was
never committed, breaking the command on a fresh clone. Add it and
ignore local-only macOS/Claude Code files.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

This commit is contained in:

Thomas Durieux

2026-06-18 04:50:55 -07:00

committed by

GitHub

parent bdfcc56d81

commit e4ffd74068

21 changed files with 484 additions and 23 deletions

									
										public/script/utils.js
									
		+11
		-2
	
												View File
												
				@@ -54,12 +54,21 @@ function urlRel2abs(

				) {

				  /* Only accept commonly trusted protocols:

				   * Only data-image URLs are accepted, Exotic flavours (escaped slash,

				   * html-entitied characters) are not supported to keep the function fast */

				   * html-entitied characters) are not supported to keep the function fast.

				   * "javascript:" is intentionally NOT allowed — returning such a URL

				   * unchanged would let it reach an href attribute and execute on click

				   * (XSS, CWE-79). */

				  if (

				    /^(https?|file|ftps?|mailto|javascript|data:image\/[^;]{2,9};):/i.test(url)

				    /^(https?|file|ftps?|mailto|data:image\/[^;]{2,9};):/i.test(url)

				  ) {

				    return url; //Url is already absolute

				  }

				  // Block any other explicit scheme (javascript:, vbscript:, data:text/html,

				  // …) so it can't slip through as an "absolute" URL via the relative-path

				  // handling below.

				  if (/^\s*[a-z][a-z0-9+.-]*:/i.test(url)) {

				    return "";

				  }

				  if (url.substring(0, 2) == "//") return location.protocol + url;

				  else if (url.charAt(0) == "/") return baseUrl + url;