Add security quick wins and lint workflow

Author: shadowbipnode

electron.js

@@ -8,6 +8,16 @@ const crypto = require('crypto');
 const https = require('https');
 
 let mainWindow;
+
+function isSafeExternalUrl(url) {
+  try {
+    const parsed = new URL(url);
+    return parsed.protocol === 'https:' || parsed.protocol === 'http:';
+  } catch {
+    return false;
+  }
+}
+
 let proxyProcess;
 
 // ============================================================
@@ -69,7 +79,9 @@ function createWindow() {
 
   // Link esterni si aprono nel browser di sistema
   mainWindow.webContents.setWindowOpenHandler(({ url }) => {
-    shell.openExternal(url);
+    if (isSafeExternalUrl(url)) {
+      shell.openExternal(url);
+    }
     return { action: 'deny' };
   });
 
@@ -568,7 +580,7 @@ ipcMain.handle('check-for-updates', async () => {
 
 // Apri link esterno
 ipcMain.handle('open-external', async (event, url) => {
-  if (typeof url === 'string' && (url.startsWith('https://') || url.startsWith('http://'))) {
+  if (typeof url === 'string' && isSafeExternalUrl(url)) {
     await shell.openExternal(url);
     return { success: true };
   }

eslint.config.js

@@ -5,9 +5,18 @@ import reactRefresh from 'eslint-plugin-react-refresh'
 import { defineConfig, globalIgnores } from 'eslint/config'
 
 export default defineConfig([
-  globalIgnores(['dist']),
+  globalIgnores([
+    'dist/**',
+    'release/**',
+    'node_modules/**',
+    'src.backup-*/**',
+    'src/**/*.backup*',
+    'src/**/*backup*',
+    'tools/**',
+  ]),
+
   {
-    files: ['**/*.{js,jsx}'],
+    files: ['src/**/*.{js,jsx}'],
     extends: [
       js.configs.recommended,
       reactHooks.configs.flat.recommended,
@@ -23,7 +32,30 @@ export default defineConfig([
       },
     },
     rules: {
-      'no-unused-vars': ['error', { varsIgnorePattern: '^[A-Z_]' }],
+      'no-unused-vars': ['warn', { varsIgnorePattern: '^[A-Z_]', argsIgnorePattern: '^_' }],
+      'no-empty': 'warn',
+      'no-control-regex': 'off',
+      'react-hooks/exhaustive-deps': 'warn',
+      'react-hooks/set-state-in-effect': 'off',
+    },
+  },
+
+  {
+    files: ['electron.js', 'preload.js', 'server.js', 'vite.config.js'],
+    extends: [js.configs.recommended],
+    languageOptions: {
+      ecmaVersion: 2020,
+      globals: {
+        ...globals.node,
+      },
+      parserOptions: {
+        ecmaVersion: 'latest',
+        sourceType: 'commonjs',
+      },
+    },
+    rules: {
+      'no-unused-vars': ['warn', { varsIgnorePattern: '^[A-Z_]', argsIgnorePattern: '^_' }],
+      'no-useless-escape': 'warn',
     },
   },
 ])

index.html

@@ -3,6 +3,10 @@
   <head>
     <meta charset="UTF-8" />
     <link rel="icon" type="image/svg+xml" href="/favicon.svg" />
+    <meta
+      http-equiv="Content-Security-Policy"
+      content="default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self' http://127.0.0.1:3001 http://localhost:3001 http://127.0.0.1:11434 http://localhost:11434; object-src 'none'; base-uri 'self';"
+    />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title>sysai-assistant</title>
   </head>