gstack

mirror of https://github.com/garrytan/gstack.git synced 2026-05-02 11:45:20 +02:00

Files

T

Garry Tan dfe946fe64 fix(security): CSS injection guard, timeout clamping, session validation, tests (#806 )

Community PR #806 by @mr-k-man (security audit round 2, new parts only).

- CSS value validation (DANGEROUS_CSS) in cdp-inspector, write-commands, extension inspector
- Queue file permissions (0o700/0o600) in cli, server, sidebar-agent
- escapeRegExp for frame --url ReDoS fix
- Responsive screenshot path validation with validateOutputPath
- State load cookie filtering (reject localhost/.internal/metadata cookies)
- Session ID format validation in loadSession
- /health endpoint: remove currentUrl and currentMessage fields
- QueueEntry interface + isValidQueueEntry validator for sidebar-agent
- SIGTERM->SIGKILL escalation in timeout handler
- Viewport dimension clamping (1-16384), wait timeout clamping (1s-300s)
- Cookie domain validation in cookie-import and cookie-import-browser
- DocumentFragment-based tab switching (XSS fix in sidepanel)
- pollInProgress reentrancy guard for pollChat
- toggleClass/injectCSS input validation in extension inspector
- Snapshot annotated path validation with realpathSync
- 714-line security-audit-r2.test.ts + 33-line learnings-injection.test.ts

Co-Authored-By: mr-k-man <mr-k-man@users.noreply.github.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-05 23:26:35 -07:00

icons

feat: headed mode + sidebar agent + Chrome extension (v0.12.0) (#517 )

2026-03-26 11:15:24 -06:00

background.js

fix(security): IPv6 ULA blocking, cookie redaction, per-tab cancel, targeted token (#664 )

2026-04-05 22:58:06 -07:00

content.css

feat: headed mode + sidebar agent + Chrome extension (v0.12.0) (#517 )

2026-03-26 11:15:24 -06:00

content.js

feat: GStack Browser — double-click AI browser with anti-bot stealth (#695 )