Garry Tan 47a8277567 security: fix path validation bypass, CORS restriction, cookie-import path check ...

- startsWith('/tmp') matched '/tmpevil' — now requires trailing slash
- CORS Access-Control-Allow-Origin changed from * to http://127.0.0.1:<port>
- cookie-import now validates file paths (was missing validateReadPath)
- 3 new tests for prefix collision and cookie-import path traversal

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-12 20:49:34 -07:00

..

browser-manager.ts

feat: wire cookie-import-browser into browse server

2026-03-12 18:27:33 -07:00

buffers.ts

Phase 2: Enhanced browser — dialog handling, upload, state checks, snapshots

2026-03-12 13:33:43 -07:00

cli.ts

feat: wire cookie-import-browser into browse server

2026-03-12 18:27:33 -07:00

cookie-import-browser.ts

feat: cookie-import-browser — Chromium cookie decryption module + tests

2026-03-12 18:27:22 -07:00

cookie-picker-routes.ts

security: fix path validation bypass, CORS restriction, cookie-import path check

2026-03-12 20:49:34 -07:00

cookie-picker-ui.ts

feat: cookie picker web UI + route handler

2026-03-12 18:27:27 -07:00

meta-commands.ts

security: fix path validation bypass, CORS restriction, cookie-import path check

2026-03-12 20:49:34 -07:00

read-commands.ts

security: fix path validation bypass, CORS restriction, cookie-import path check

2026-03-12 20:49:34 -07:00

server.ts

feat: wire cookie-import-browser into browse server

2026-03-12 18:27:33 -07:00

snapshot.ts

Phase 2: Enhanced browser — dialog handling, upload, state checks, snapshots

2026-03-12 13:33:43 -07:00

write-commands.ts

security: fix path validation bypass, CORS restriction, cookie-import path check

2026-03-12 20:49:34 -07:00