Skip to content

feat: security hardening#1849

Open
paustint wants to merge 1 commit into
mainfrom
sec/harden-070626
Open

feat: security hardening#1849
paustint wants to merge 1 commit into
mainfrom
sec/harden-070626

Conversation

@paustint

@paustint paustint commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

feat(jetstream-desktop): enhance external URL handling with safe scheme checks

fix(jetstream-desktop): ensure file downloads use the correct basename for paths

fix(jetstream-desktop): improve notification service to use safe URL opening

fix(jetstream-desktop): update protocol service to use basename for download filenames

feat(jetstream-desktop): add utility for safe external URL opening

fix(web-extension): restrict message event handling to same-origin and window source

refactor(web-extension): remove external message listener to enhance security

fix(auth.db.service): improve logging and ensure correct session revocation

feat(sync.types): add maximum nesting depth check for sync data payloads

Copilot AI review requested due to automatic review settings July 8, 2026 15:48
Comment thread apps/geo-ip-api/src/main.ts Dismissed
Comment thread apps/geo-ip-api/src/main.ts Dismissed

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR implements a set of security hardening changes across the Electron desktop app, the browser extension, server auth/session handling, and sync payload validation, aligning the codebase with the remediation items documented in the new security review.

Changes:

  • Desktop: add safe-scheme external URL opening, block cross-origin navigations, and sanitize download filenames with basename().
  • Web extension: remove the onMessageExternal surface and tighten postMessage handling to same-origin + same-window.
  • Server/shared: tighten external session revocation scoping, add a max nesting depth guard for sync payloads, and harden geo-ip basic-auth comparison + request caps.

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
SECURITY_REVIEW.md Adds a consolidated security review and remediation status tracking document.
libs/types/src/lib/sync/sync.types.ts Adds max nesting depth protection and caps on hashedKey/orgId in sync schemas.
libs/auth/server/src/lib/auth.db.service.ts Removes sensitive deviceId from logs and scopes external-session revocation to the owning user.
apps/jetstream-web-extension/src/extension-scripts/service-worker.ts Removes onMessageExternal handler to eliminate cross-extension session-fixation surface.
apps/jetstream-web-extension/src/extension-scripts/content-auth-script.ts Restricts message handling to same-origin and event.source === window.
apps/jetstream-desktop/src/utils/url.utils.ts Introduces openExternalSafe() with protocol allow-listing.
apps/jetstream-desktop/src/services/protocol.service.ts Applies basename() to will-download filenames before joining with the download directory.
apps/jetstream-desktop/src/services/notification.service.ts Routes notification actionUrl opening through openExternalSafe().
apps/jetstream-desktop/src/services/file-download.service.ts Applies basename() to download filenames when omitPrompt is enabled.
apps/jetstream-desktop/src/browser/browser.ts Adds navigation guards (will-navigate/will-redirect) and routes external opens through openExternalSafe().
apps/geo-ip-api/src/main.ts Adds constant-time-ish credential compare and caps lookup IP array size.

Comment thread libs/types/src/lib/sync/sync.types.ts
Comment thread apps/jetstream-desktop/src/utils/url.utils.ts
Comment thread apps/jetstream-desktop/src/browser/browser.ts Outdated
Comment thread libs/types/src/lib/sync/sync.types.ts
feat(jetstream-desktop): enhance external URL handling with safe scheme checks

fix(jetstream-desktop): ensure file downloads use the correct basename for paths

fix(jetstream-desktop): improve notification service to use safe URL opening

fix(jetstream-desktop): update protocol service to use basename for download filenames

feat(jetstream-desktop): add utility for safe external URL opening

fix(web-extension): restrict message event handling to same-origin and window source

refactor(web-extension): remove external message listener to enhance security

fix(auth.db.service): improve logging and ensure correct session revocation

feat(sync.types): add maximum nesting depth check for sync data payloads
Copilot AI review requested due to automatic review settings July 9, 2026 14:03
@paustint paustint force-pushed the sec/harden-070626 branch from 7937621 to b855221 Compare July 9, 2026 14:03

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.

} catch {
// Surface the depth-cap breach as a normal Zod validation issue (clean 400) rather than a
// raw thrown Error that would bubble out of the transform as an unhandled 500.
ctx.addIssue('Sync record data exceeds the maximum allowed nesting depth');
Comment on lines +55 to +57
const usernameMatches = timingSafeStringCompare(username ?? '', ENV.GEO_IP_API_USERNAME ?? '');
const passwordMatches = timingSafeStringCompare(password ?? '', ENV.GEO_IP_API_PASSWORD ?? '');
if (!usernameMatches || !passwordMatches) {
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants