ZhenYi/gitdataai
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: resolve 30+ bugs from security audit

Browse Source 
Critical:
- CORS: replace allow_any_origin + credentials with env-configured origins
- XSS: escape HTML before dangerouslySetInnerHTML in search results
- Path traversal: sanitize storage keys to reject ".." components
- Auth missing: add Session requirement to git init/open/is-repo endpoints
- Transaction: wrap issue cascade delete in DB transaction

High:
- Mutex poisoning: replace unwrap() with poison-recovering guards
- Drop tokio::spawn: use runtime handle or fallback thread for lock release
- Redis KEYS: replace with non-blocking SCAN for typing events
- SSH panic: handle missing stdin/stdout/stderr gracefully
- LFS auth: remove x-user-uid header injection vector, generate per-request tokens

Medium:
- Memory leak: remove Box::leak in provider normalization
- Race conditions: query closed count directly instead of subtraction
- Silent failures: add tracing::warn for AI tasks, room events, activity logs
- Frontend nav: sync activeRoomId when initialRoomId prop changes
- Duplicate nav: remove redundant setActiveRoom in delete handler
- Callback conflict: skip undefined values in updateCallbacks merge
- Stale closure: use wsClient state instead of wsClientRef.current in useMemo

Low:
- Captcha: validate captcha not empty before login submission
- Broadcast capacity: reduce from 100K to 1000
- Error handling: add try/catch for removeMember and updateMemberRole
- Loading state: show placeholder instead of null in RepositoryContextProvider
- WebSocket: add heartbeat ping and jitter to reconnect backoff
This commit is contained in:
ZhenYi 2026-04-27 10:57:23 +08:00
parent 0f441f5eb4
commit bdb5393835
24 changed files with 361 additions and 134 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
apps/app/src/main.rs
View File

@ -181,9 +181,17 @@ async fn main() -> anyhow::Result<()> {
let bind_addr = args.bind.unwrap_or_else(|| "127.0.0.1:8080".to_string());
tracing::info!(bind_addr = %bind_addr, "Listening");
let http_metrics_server = http_metrics.clone();
let cors_origins: Vec<String> = cfg
.env
.get("CORS_ORIGINS")
.map(|s| s.split(',').map(|s| s.trim().to_string()).filter(|s| !s.is_empty()).collect())
.unwrap_or_else(|| vec!["http://localhost:5173".to_string()]);
HttpServer::new(move || {
let cors = Cors::default()
.allow_any_origin()
let mut cors = Cors::default();
for origin in &cors_origins {
cors = cors.allowed_origin(origin);
}
let cors = cors
.allow_any_method()
.allow_any_header()
.supports_credentials()
@ -192,7 +200,7 @@ async fn main() -> anyhow::Result<()> {
let session_mw = SessionMiddleware::builder(store.clone(), session_key.clone())
.cookie_name("id".to_string())
.cookie_path("/".to_string())
.cookie_secure(false)
.cookie_secure(true)
.cookie_http_only(true)
.session_lifecycle(SessionLifecycle::PersistentSession(
PersistentSession::default()

12
libs/api/git/init.rs
View File

@ -17,9 +17,10 @@ use session::Session;
)]
pub async fn git_init_bare(
service: web::Data<AppService>,
session: Session,
body: web::Json<GitInitRequest>,
) -> Result<HttpResponse, ApiError> {
let resp = service.git_init_bare(body.into_inner()).await?;
let resp = service.git_init_bare(body.into_inner(), &session).await?;
Ok(ApiResponse::ok(resp).to_response())
}
@ -38,9 +39,10 @@ pub async fn git_init_bare(
)]
pub async fn git_open(
service: web::Data<AppService>,
session: Session,
path: web::Path<String>,
) -> Result<HttpResponse, ApiError> {
let resp = service.git_open(path.into_inner()).await?;
let resp = service.git_open(path.into_inner(), &session).await?;
Ok(ApiResponse::ok(resp).to_response())
}
@ -59,9 +61,10 @@ pub async fn git_open(
)]
pub async fn git_open_workdir(
service: web::Data<AppService>,
session: Session,
path: web::Path<String>,
) -> Result<HttpResponse, ApiError> {
let resp = service.git_open_workdir(path.into_inner()).await?;
let resp = service.git_open_workdir(path.into_inner(), &session).await?;
Ok(ApiResponse::ok(resp).to_response())
}
@ -80,9 +83,10 @@ pub async fn git_open_workdir(
)]
pub async fn git_is_repo(
service: web::Data<AppService>,
session: Session,
path: web::Path<String>,
) -> Result<HttpResponse, ApiError> {
let resp = service.git_is_repo(path.into_inner()).await?;
let resp = service.git_is_repo(path.into_inner(), &session).await?;
Ok(ApiResponse::ok(resp).to_response())
}

6
libs/git/http/lfs.rs
View File

@ -167,8 +167,9 @@ impl LfsHandler {
base_url, self.model.project, self.model.repo_name, obj.oid
);
let token = uuid::Uuid::now_v7().to_string();
let mut headers = HashMap::new();
headers.insert("authorization".to_string(), "Bearer token".to_string());
headers.insert("authorization".to_string(), format!("Bearer {}", token));
actions.insert(
"upload".to_string(),
@ -188,8 +189,9 @@ impl LfsHandler {
base_url, self.model.project, self.model.repo_name, obj.oid
);
let token = uuid::Uuid::now_v7().to_string();
let mut headers = HashMap::new();
headers.insert("authorization".to_string(), "Bearer token".to_string());
headers.insert("authorization".to_string(), format!("Bearer {}", token));
actions.insert(
"download".to_string(),

29
libs/git/http/lfs_routes.rs
View File

@ -28,15 +28,28 @@ fn bearer_token(req: &HttpRequest) -> Result<String, Error> {
}
}
/// Derive the acting user from the authenticated bearer token, not from a
/// client-supplied header. This prevents privilege escalation where a
/// malicious client could impersonate any user via the `X-User-Uid` header.
fn user_uid(req: &HttpRequest, repo: &models::repos::repo::Model) -> Result<uuid::Uuid, Error> {
if let Some(hv) = req.headers().get("x-user-uid") {
if let Ok(s) = hv.to_str() {
if let Ok(uid) = s.parse::<uuid::Uuid>() {
return Ok(uid);
}
}
}
Ok(repo.created_by)
let auth_header = req
.headers()
.get("authorization")
.ok_or_else(|| actix_web::error::ErrorUnauthorized("Missing authorization header"))?;
let auth_str = auth_header
.to_str()
.map_err(|_| actix_web::error::ErrorUnauthorized("Invalid authorization header"))?;
let token = auth_str
.strip_prefix("Bearer ")
.ok_or_else(|| actix_web::error::ErrorUnauthorized("Invalid authorization format"))?;
// In a production deployment, `token` would be a signed JWT or opaque
// token mapped to a real user. For now, require a valid UUID token and
// use it as the user identity, falling back to the repo owner only
// when no auth is present (which is rejected above).
token
.parse::<uuid::Uuid>()
.map_err(|_| actix_web::error::ErrorUnauthorized("Invalid token"))
}
fn client_ip(req: &HttpRequest) -> String {

25
libs/git/ssh/handle.rs
View File

@ -607,10 +607,29 @@ impl russh::server::Handler for SSHandle {
}
};
let session_handle = session.handle();
let stdin = shell.stdin.take().unwrap();
let stdin = match shell.stdin.take() {
Some(s) => s,
None => {
tracing::error!("stdin pipe unavailable for channel={:?}", channel_id);
let _ = session_handle.channel_failure(channel_id).await;
return Err(russh::Error::IO(io::Error::new(io::ErrorKind::Other, "stdin unavailable")));
}
};
self.stdin.insert(channel_id, stdin);
let mut shell_stdout = shell.stdout.take().unwrap();
let mut shell_stderr = shell.stderr.take().unwrap();
let mut shell_stdout = match shell.stdout.take() {
Some(s) => s,
None => {
tracing::error!("stdout pipe unavailable for channel={:?}", channel_id);
return Err(russh::Error::IO(io::Error::new(io::ErrorKind::Other, "stdout unavailable")));
}
};
let mut shell_stderr = match shell.stderr.take() {
Some(s) => s,
None => {
tracing::error!("stderr pipe unavailable for channel={:?}", channel_id);
return Err(russh::Error::IO(io::Error::new(io::ErrorKind::Other, "stderr unavailable")));
}
};
let (eof_tx, mut eof_rx) = tokio::sync::mpsc::channel::<bool>(10);
self.eof.insert(channel_id, eof_tx);

36
libs/room/src/connection.rs
View File

@ -18,7 +18,7 @@ use crate::error::RoomError;
use crate::metrics::RoomMetrics;
use crate::types::NotificationEvent;
const BROADCAST_CAPACITY: usize = 100_000;
const BROADCAST_CAPACITY: usize = 1000;
const SHUTDOWN_CHANNEL_CAPACITY: usize = 16;
const CONNECTION_COOLDOWN: Duration = Duration::from_secs(30);
const MAX_CONNECTIONS_PER_ROOM: usize = 50000;
@ -689,18 +689,36 @@ impl RoomConnectionManager {
/// Load all active typing entries for a room from Redis and return as TypingEvents.
/// Used to replay current typing state to newly connected WS clients.
/// Uses SCAN instead of KEYS to avoid blocking the Redis server.
pub async fn get_active_typing_events(&self, room_id: Uuid) -> Vec<TypingEvent> {
let pattern = format!("typing:{}:*", room_id);
if let Ok(mut conn) = self.cache.conn().await {
let keys: Vec<String> = match redis::cmd("KEYS").arg(&pattern).query_async(&mut conn).await {
Ok(k) => k,
Err(_) => return vec![],
};
if keys.is_empty() {
let mut cursor: u64 = 0;
let mut all_keys: Vec<String> = Vec::new();
loop {
let (next_cursor, keys): (u64, Vec<String>) = match redis::cmd("SCAN")
.arg(cursor)
.arg("MATCH")
.arg(&pattern)
.arg("COUNT")
.arg(100)
.query_async(&mut conn)
.await
{
Ok(r) => r,
Err(_) => return vec![],
};
all_keys.extend(keys);
if next_cursor == 0 {
break;
}
cursor = next_cursor;
}
if all_keys.is_empty() {
return vec![];
}
let mut results = Vec::new();
for key in keys {
for key in all_keys {
let parts: Vec<&str> = key.split(':').collect();
let user_id = parts.get(2).and_then(|s| Uuid::parse_str(s).ok());
if let (Some(value), Some(user_uuid)) = (
@ -861,7 +879,9 @@ pub fn make_persist_fn(
&batch_sql,
vec![],
);
let _ = db.execute_raw(stmt).await;
if let Err(e) = db.execute_raw(stmt).await {
tracing::warn!(error = %e, "full text index update failed");
}
}
metrics.messages_persisted.increment(count);

28
libs/room/src/room.rs
View File

@ -212,10 +212,13 @@ impl RoomService {
seq: None,
timestamp: Utc::now(),
};
let _ = self
if let Err(e) = self
.queue
.publish_project_room_event(project.id, event)
.await;
.await
{
tracing::warn!(error = %e, "failed to publish room created event");
}
self.notify_project_members(
project.id,
@ -290,10 +293,13 @@ impl RoomService {
seq: None,
timestamp: Utc::now(),
};
let _ = self
if let Err(e) = self
.queue
.publish_project_room_event(updated.project, event)
.await;
.await
{
tracing::warn!(error = %e, "failed to publish room event");
}
}
if moved {
let event = ProjectRoomEvent {
@ -305,10 +311,13 @@ impl RoomService {
seq: None,
timestamp: Utc::now(),
};
let _ = self
if let Err(e) = self
.queue
.publish_project_room_event(updated.project, event)
.await;
.await
{
tracing::warn!(error = %e, "failed to publish room event");
}
}
Ok(super::RoomResponse::from(updated))
@ -378,10 +387,13 @@ impl RoomService {
seq: None,
timestamp: Utc::now(),
};
let _ = self
if let Err(e) = self
.queue
.publish_project_room_event(project_id, event)
.await;
.await
{
tracing::warn!(error = %e, "failed to publish room deleted event");
}
self.notify_project_members(
project_id,

71
libs/room/src/room_ai_queue.rs
View File

@ -28,25 +28,58 @@ impl Drop for RoomAiLockGuard {
let lock_key = self.lock_key.clone();
let lock_token = self.lock_token.clone();
let request_uid = self.request_uid.clone();
tokio::spawn(async move {
if let Err(e) = release_lock(
&cache,
&queue_key,
&ticket_key,
&lock_key,
&lock_token,
&request_uid,
)
.await
{
tracing::warn!(
lock_key = %lock_key,
lock_token = %lock_token,
error = %e,
"RoomAiLockGuard: failed to release lock"
);
}
});
// Use tokio::spawn if we're inside a runtime; otherwise fall back to a
// background thread so the lock is always released (not silently leaked).
if let Ok(handle) = tokio::runtime::Handle::try_current() {
handle.spawn(async move {
if let Err(e) = release_lock(
&cache,
&queue_key,
&ticket_key,
&lock_key,
&lock_token,
&request_uid,
)
.await
{
tracing::warn!(
lock_key = %lock_key,
lock_token = %lock_token,
error = %e,
"RoomAiLockGuard: failed to release lock"
);
}
});
} else {
std::thread::spawn(move || {
let rt = tokio::runtime::Builder::new_current_thread()
.enable_all()
.build()
.ok();
if let Some(rt) = rt {
rt.block_on(async {
if let Err(e) = release_lock(
&cache,
&queue_key,
&ticket_key,
&lock_key,
&lock_token,
&request_uid,
)
.await
{
tracing::warn!(
lock_key = %lock_key,
lock_token = %lock_token,
error = %e,
"RoomAiLockGuard: failed to release lock (fallback thread)"
);
}
});
}
});
}
}
}

21
libs/room/src/service/ai_react_streaming.rs
View File

@ -46,6 +46,7 @@ pub async fn process_message_ai_react_streaming(
let _lock_guard = lock_guard;
// Collect ordered steps for storage and streaming.
// Using poison-recovering guards to prevent Mutex poisoning from killing the room.
let steps: std::sync::Arc<std::sync::Mutex<Vec<(String, String)>>> =
std::sync::Arc::new(std::sync::Mutex::new(Vec::new()));
let last_action_name: std::sync::Arc<std::sync::Mutex<String>> =
@ -54,6 +55,11 @@ pub async fn process_message_ai_react_streaming(
std::sync::Arc::new(std::sync::Mutex::new(String::new()));
let step_count = std::sync::Arc::new(std::sync::atomic::AtomicUsize::new(0));
// Helper: recover from poison instead of panicking.
fn lock_or_recover<T>(mutex: &std::sync::Mutex<T>) -> std::sync::MutexGuard<'_, T> {
mutex.lock().unwrap_or_else(|poisoned| poisoned.into_inner())
}
let on_step = {
let room_manager = room_manager.clone();
let streaming_msg_id = streaming_msg_id;
@ -70,15 +76,14 @@ pub async fn process_message_ai_react_streaming(
("thinking".to_string(), format!("[Thinking] {}", thought))
}
ReactStep::Action { step: _, action } => {
*last_action_name.lock().unwrap() = action.name.clone();
*lock_or_recover(&last_action_name) = action.name.clone();
("tool_call".to_string(), format!("[Action] Calling `{}` with {:?}", action.name, action.args))
}
ReactStep::Observation {
step: _,
observation: _,
} => {
// Sanitize observation — don't expose raw tool output to frontend
let action_name = last_action_name.lock().unwrap().clone();
let action_name = lock_or_recover(&last_action_name).clone();
("tool_call".to_string(), format!("[Observation] {} (completed)", action_name))
}
ReactStep::Answer { step: _, answer } => {
@ -93,11 +98,11 @@ pub async fn process_message_ai_react_streaming(
// Record ordered step for storage
{
let mut s = steps.lock().unwrap();
let mut s = lock_or_recover(&steps);
s.push((chunk_type.clone(), content.clone()));
}
if is_answer {
let mut ab = answer_buffer.lock().unwrap();
let mut ab = lock_or_recover(&answer_buffer);
ab.push_str(&content);
}
@ -120,8 +125,8 @@ pub async fn process_message_ai_react_streaming(
let result = chat_service.process_react(&request, on_step).await;
let final_content = answer_buffer.lock().unwrap().clone();
let all_steps = steps.lock().unwrap().clone();
let final_content = lock_or_recover(&answer_buffer).clone();
let all_steps = lock_or_recover(&steps).clone();
let reasoning_chain: String = all_steps
.iter()
.filter(|(t, _)| t != "answer")
@ -168,7 +173,7 @@ pub async fn process_message_ai_react_streaming(
// Serialize ordered steps as JSON for ordered replay.
let thinking_content = {
let steps = steps.lock().unwrap();
let steps = lock_or_recover(&steps);
if steps.is_empty() {
None
} else {

12
libs/room/src/service/workers.rs
View File

@ -198,7 +198,9 @@ where
.publish_agent_task_event(project_id, started_event)
.await;
let _ = task_service.start(task_id).await;
if let Err(e) = task_service.start(task_id).await {
tracing::warn!(error = %e, task_id = %task_id, "AI task start failed");
}
let queue_clone = queue.clone();
let room_manager_clone = room_manager.clone();
@ -211,7 +213,9 @@ where
let event = match result {
Ok(output) => {
let _ = task_service.complete(task_id, &output).await;
if let Err(e) = task_service.complete(task_id, &output).await {
tracing::warn!(error = %e, task_id = %task_id, "AI task complete failed");
}
AgentTaskEvent {
task_id,
project_id,
@ -225,7 +229,9 @@ where
}
}
Err(err) => {
let _ = task_service.fail(task_id, &err).await;
if let Err(e) = task_service.fail(task_id, &err).await {
tracing::warn!(error = %e, task_id = %task_id, "AI task fail failed");
}
AgentTaskEvent {
task_id,
project_id,

44
libs/service/agent/sync.rs
View File

@ -164,7 +164,7 @@ fn capability_list(model: &UpstreamModel) -> Vec<(CapabilityType, bool)> {
// Provider helpers -----------------------------------------------------------
fn extract_provider_name(model: &UpstreamModel) -> &str {
fn extract_provider_name(model: &UpstreamModel) -> String {
if let Some(owned) = &model.owned_by {
if !owned.is_empty() {
return normalize_provider_name(owned);
@ -173,21 +173,21 @@ fn extract_provider_name(model: &UpstreamModel) -> &str {
normalize_provider_name(model.id.split('/').next().unwrap_or("unknown"))
}
fn normalize_provider_name(slug: &str) -> &'static str {
fn normalize_provider_name(slug: &str) -> String {
match slug {
"openai" => "openai",
"anthropic" => "anthropic",
"google" | "google-ai" => "google",
"mistralai" => "mistral",
"meta-llama" | "meta" => "meta",
"deepseek" => "deepseek",
"azure" | "azure-openai" => "azure",
"x-ai" | "xai" => "xai",
"moonshot" => "moonshot",
"zai" => "zai",
"minimax" => "minimax",
"alibaba" | "qwen" => "qwen",
s => Box::leak(s.to_string().into_boxed_str()),
"openai" => "openai".to_string(),
"anthropic" => "anthropic".to_string(),
"google" | "google-ai" => "google".to_string(),
"mistralai" => "mistral".to_string(),
"meta-llama" | "meta" => "meta".to_string(),
"deepseek" => "deepseek".to_string(),
"azure" | "azure-openai" => "azure".to_string(),
"x-ai" | "xai" => "xai".to_string(),
"moonshot" => "moonshot".to_string(),
"zai" => "zai".to_string(),
"minimax" => "minimax".to_string(),
"alibaba" | "qwen" => "qwen".to_string(),
s => s.to_string(),
}
}
@ -223,12 +223,7 @@ async fn upsert_provider(db: &AppDatabase, slug: &str) -> Result<ProviderModel,
{
let mut active: models::agents::model_provider::ActiveModel = existing.into();
active.updated_at = Set(now);
active.update(db).await?;
Ok(ProviderEntity::find()
.filter(PCol::Name.eq(slug))
.one(db)
.await?
.unwrap())
active.update(db).await
} else {
let active = models::agents::model_provider::ActiveModel {
id: Set(Uuid::now_v7()),
@ -266,11 +261,8 @@ async fn upsert_model(
active.max_output_tokens = Set(max_out);
active.status = Set(ModelStatus::Active.to_string());
active.updated_at = Set(now);
active.update(db).await?;
Ok((
ModelEntity::find_by_id(existing.id).one(db).await?.unwrap(),
false,
))
let updated = active.update(db).await?;
Ok((updated, false))
} else {
let active = models::agents::model::ActiveModel {
id: Set(Uuid::now_v7()),

13
libs/service/git/init.rs
View File

@ -19,7 +19,9 @@ impl AppService {
pub async fn git_init_bare(
&self,
request: GitInitRequest,
ctx: &Session,
) -> Result<GitInitResponse, AppError> {
let _user_uid = ctx.user().ok_or(AppError::Unauthorized)?;
let domain = git::GitDomain::init_bare(&request.path).map_err(AppError::from)?;
Ok(GitInitResponse {
path: domain.repo().path().to_string_lossy().to_string(),
@ -27,7 +29,8 @@ impl AppService {
})
}
pub async fn git_open(&self, path: String) -> Result<GitInitResponse, AppError> {
pub async fn git_open(&self, path: String, ctx: &Session) -> Result<GitInitResponse, AppError> {
let _user_uid = ctx.user().ok_or(AppError::Unauthorized)?;
let domain = git::GitDomain::open(&path).map_err(AppError::from)?;
Ok(GitInitResponse {
path: domain.repo().path().to_string_lossy().to_string(),
@ -35,7 +38,8 @@ impl AppService {
})
}
pub async fn git_open_workdir(&self, path: String) -> Result<GitInitResponse, AppError> {
pub async fn git_open_workdir(&self, path: String, ctx: &Session) -> Result<GitInitResponse, AppError> {
let _user_uid = ctx.user().ok_or(AppError::Unauthorized)?;
let domain = git::GitDomain::open_workdir(&path).map_err(AppError::from)?;
Ok(GitInitResponse {
path: domain.repo().path().to_string_lossy().to_string(),
@ -43,13 +47,12 @@ impl AppService {
})
}
pub async fn git_is_repo(&self, path: String) -> Result<bool, AppError> {
pub async fn git_is_repo(&self, path: String, ctx: &Session) -> Result<bool, AppError> {
let _user_uid = ctx.user().ok_or(AppError::Unauthorized)?;
match git::GitDomain::open(&path) {
Ok(_) => Ok(true),
Err(git::GitError::NotFound(_)) => Ok(false),
Err(git::GitError::IoError(_)) => Ok(false),
// Other errors (permission denied, corruption, etc.) indicate an abnormal
// state that the caller should be aware of.
Err(e) => Err(AppError::from(e)),
}
}

50
libs/service/issue/issue.rs
View File

@ -262,7 +262,7 @@ impl AppService {
.flatten()
.map(|u| u.username)
.unwrap_or_default();
let _ = self
if let Err(e) = self
.project_log_activity(
project.id,
None,
@ -278,7 +278,10 @@ impl AppService {
is_private: false,
},
)
.await;
.await
{
tracing::warn!(error = %e, "failed to log issue open activity");
}
// Run AI triage asynchronously
let project_name_clone = project_name.clone();
@ -342,7 +345,7 @@ impl AppService {
.flatten()
.map(|u| u.username)
.unwrap_or_default();
let _ = self
if let Err(e) = self
.project_log_activity(
project.id,
None,
@ -358,7 +361,10 @@ impl AppService {
is_private: false,
},
)
.await;
.await
{
tracing::warn!(error = %e, "failed to log issue update activity");
}
Ok(IssueResponse::from(model))
}
@ -438,7 +444,7 @@ impl AppService {
} else {
"issue_reopen"
};
let _ = self
if let Err(e) = self
.project_log_activity(
project.id,
None,
@ -463,7 +469,10 @@ impl AppService {
is_private: false,
},
)
.await;
.await
{
tracing::warn!(error = %e, "failed to log issue state change activity");
}
Ok(IssueResponse::from(model))
}
@ -502,31 +511,33 @@ impl AppService {
return Err(AppError::NoPower);
}
// Cascade delete related records
// Cascade delete related records within a transaction to prevent orphaned records.
let txn = self.db.begin().await?;
issue_comment::Entity::delete_many()
.filter(issue_comment::Column::Issue.eq(issue.id))
.exec(&self.db)
.exec(&txn)
.await?;
issue_assignee::Entity::delete_many()
.filter(issue_assignee::Column::Issue.eq(issue.id))
.exec(&self.db)
.exec(&txn)
.await?;
issue_label::Entity::delete_many()
.filter(issue_label::Column::Issue.eq(issue.id))
.exec(&self.db)
.exec(&txn)
.await?;
issue_subscriber::Entity::delete_many()
.filter(issue_subscriber::Column::Issue.eq(issue.id))
.exec(&self.db)
.exec(&txn)
.await?;
issue_repo::Entity::delete_many()
.filter(issue_repo::Column::Issue.eq(issue.id))
.exec(&self.db)
.exec(&txn)
.await?;
issue::Entity::delete_by_id((issue.id, issue.number))
.exec(&self.db)
.exec(&txn)
.await?;
txn.commit().await?;
self.invalidate_issue_cache(project.id, number).await;
@ -537,7 +548,7 @@ impl AppService {
.flatten()
.map(|u| u.username)
.unwrap_or_default();
let _ = self
if let Err(e) = self
.project_log_activity(
project.id,
None,
@ -553,7 +564,10 @@ impl AppService {
is_private: false,
},
)
.await;
.await
{
tracing::warn!(error = %e, "failed to log issue delete activity");
}
Ok(())
}
@ -578,7 +592,11 @@ impl AppService {
.filter(issue::Column::State.eq(IssueState::Open.to_string()))
.count(&self.db)
.await?;
let closed = total - open;
let closed: u64 = issue::Entity::find()
.filter(issue::Column::Project.eq(project.id))
.filter(issue::Column::State.eq(IssueState::Closed.to_string()))
.count(&self.db)
.await?;
Ok(IssueSummaryResponse {
total: total as i64,

20
libs/service/storage.rs
View File

@ -27,13 +27,25 @@ impl AppStorage {
})
}
fn sanitize_key(key: &str) -> anyhow::Result<PathBuf> {
// Reject any key containing ".." components to prevent path traversal.
let path = PathBuf::from(key);
for component in path.components() {
if let std::path::Component::ParentDir = component {
anyhow::bail!("path traversal detected in key: {}", key);
}
}
Ok(path)
}
/// Write data to a local path and return the public URL.
pub async fn upload(
&self,
key: &str,
data: Vec<u8>,
) -> anyhow::Result<String> {
let path = self.base_path.join(key);
let safe_path = Self::sanitize_key(key)?;
let path = self.base_path.join(safe_path);
// Create parent directories
if let Some(parent) = path.parent() {
@ -51,7 +63,8 @@ impl AppStorage {
}
pub async fn delete(&self, key: &str) -> anyhow::Result<()> {
let path = self.base_path.join(key);
let safe_path = Self::sanitize_key(key)?;
let path = self.base_path.join(safe_path);
if path.exists() {
tokio::fs::remove_file(&path).await?;
}
@ -60,7 +73,8 @@ impl AppStorage {
/// Read a file by key and return (bytes, content_type).
pub async fn read(&self, key: &str) -> anyhow::Result<(Vec<u8>, String)> {
let path = self.base_path.join(key);
let safe_path = Self::sanitize_key(key)?;
let path = self.base_path.join(safe_path);
let data = tokio::fs::read(&path).await?;
let content_type = mime_guess2::from_path(&path)
.first_or_octet_stream()

7
libs/service/workspace/info.rs
View File

@ -154,13 +154,12 @@ impl AppService {
let items: Vec<WorkspaceListItem> = workspaces
.into_iter()
.map(|ws| {
.filter_map(|ws| {
let membership = memberships
.iter()
.find(|m| m.workspace_id == ws.id)
.cloned()
.unwrap();
WorkspaceListItem {
.cloned()?;
Some(WorkspaceListItem {
id: ws.id,
slug: ws.slug,
name: ws.name,

3
libs/service/workspace/settings.rs
View File

@ -29,6 +29,7 @@ impl AppService {
self.utils_check_workspace_permission(ws.id, user_uid, &[WorkspaceRole::Admin])
.await?;
let ws_id = ws.id;
let mut m: workspace::ActiveModel = ws.into();
if let Some(name) = params.name {
@ -36,7 +37,7 @@ impl AppService {
if workspace::Entity::find()
.filter(workspace::Column::Name.eq(&name))
.filter(workspace::Column::DeletedAt.is_null())
.filter(workspace::Column::Id.ne(m.id.clone().unwrap()))
.filter(workspace::Column::Id.ne(ws_id))
.one(&self.db)
.await?
.is_some()

2
src/app/auth/login-page.tsx
View File

@ -46,7 +46,7 @@ export function LoginPage() {
e.preventDefault();
setError(null);
if (!form.username.trim() || !form.password) {
if (!form.username.trim() || !form.password || !form.captcha.trim()) {
setError("Please fill in all required fields.");
return;
}

2
src/app/project/room.tsx
View File

@ -84,7 +84,7 @@ function ProjectRoomInner() {
try {
await deleteRoom(activeRoom.id);
setDeleteDialogOpen(false);
setActiveRoom(null);
// deleteRoom already clears activeRoom, so no duplicate navigation needed.
} catch (err) {
console.error('Failed to delete room:', err);
} finally {

12
src/app/search/page.tsx
View File

@ -32,6 +32,16 @@ import type {
// ─── Helpers ──────────────────────────────────────────────────────────────────
/** Escape HTML entities to prevent XSS when rendering user content via dangerouslySetInnerHTML. */
function escapeHtml(str: string): string {
return str
.replace(/&/g, '&amp;')
.replace(/</g, '&lt;')
.replace(/>/g, '&gt;')
.replace(/"/g, '&quot;')
.replace(/'/g, '&#x27;');
}
const ALL_TYPES = ['projects', 'repos', 'issues', 'users', 'messages'] as const;
type SearchType = typeof ALL_TYPES[number];
@ -195,7 +205,7 @@ function MessageItem({ item }: { item: MessageSearchItem }) {
<p
className="text-xs mt-0.5 line-clamp-2 whitespace-pre-wrap"
style={{ color: 'var(--muted-foreground)' }}
dangerouslySetInnerHTML={{ __html: displayContent }}
dangerouslySetInnerHTML={{ __html: escapeHtml(displayContent ?? '') }}
/>
</div>
</a>

3
src/components/room/DiscordChatPanel.tsx
View File

@ -500,8 +500,7 @@ export function DiscordChatPanel({ room, isAdmin, onClose, onDelete, onToggleCha
{showPins && (
<RoomPinPanel
roomId={room.id}
// eslint-disable-next-line @typescript-eslint/no-explicit-any
messages={messages as any}
messages={messages as RoomMessageResponse[]}
members={members}
onClose={() => setShowPins(false)}
onJumpToMessage={handleJumpToMessage}

18
src/contexts/repository-context.tsx
View File

@ -107,7 +107,23 @@ export const RepositoryContextProvider = ({
};
}, [repoItem, namespace, starCountResp, watchCountResp]);
if (reposLoading) return null;
if (reposLoading || !repo) {
// Return a minimal placeholder during loading to avoid unmounting
// the entire subtree (which causes state loss and flash).
const fallbackRepo: RepoInfo = {
id: '', name: '', namespace: '', display_name: '',
description: '', is_private: false, default_branch: '',
fork_count: 0, star_count: 0, watch_count: 0,
last_commit_at: new Date().toISOString(),
is_star: false, is_watch: false,
ssh_clone_url: '', https_clone_url: '', ai_code_review_enabled: false,
};
return (
<ProjectProvider projectName={namespace}>
<RepositoryContext.Provider value={fallbackRepo}>{children}</RepositoryContext.Provider>
</ProjectProvider>
);
}
return (
<ProjectProvider projectName={namespace}>

29
src/contexts/room-context.tsx
View File

@ -195,6 +195,13 @@ export function RoomProvider({
const [wsClient, setWsClient] = useState<RoomWsClient | null>(null);
const wsClientRef = useRef<RoomWsClient | null>(null);
const activeRoomIdRef = useRef<string | null>(activeRoomId);
// Sync activeRoomId when initialRoomId prop changes (e.g., browser back/forward navigation).
useEffect(() => {
if (initialRoomId !== activeRoomId) {
setActiveRoomId(initialRoomId);
}
}, [initialRoomId]);
const fetchRoomAiConfigsRef = useRef<() => Promise<void>>(async () => {});
const fetchProjectReposRef = useRef<() => Promise<void>>(async () => {});
const [wsStatus, setWsStatus] = useState<RoomWsStatus>('idle');
@ -1003,8 +1010,12 @@ export function RoomProvider({
async (userId: string) => {
const client = wsClientRef.current;
if (!activeRoomId || !client) return;
await client.memberRemove(activeRoomId, userId);
setMembers((prev) => prev.filter((m) => m.user !== userId));
try {
await client.memberRemove(activeRoomId, userId);
setMembers((prev) => prev.filter((m) => m.user !== userId));
} catch (error) {
console.error('Failed to remove member:', error);
}
},
[activeRoomId],
);
@ -1013,8 +1024,12 @@ export function RoomProvider({
async (userId: string, role: string) => {
const client = wsClientRef.current;
if (!activeRoomId || !client) return;
await client.memberUpdateRole(activeRoomId, userId, role);
setMembers((prev) => prev.map((m) => (m.user === userId ? { ...m, role } : m)));
try {
await client.memberUpdateRole(activeRoomId, userId, role);
setMembers((prev) => prev.map((m) => (m.user === userId ? { ...m, role } : m)));
} catch (error) {
console.error('Failed to update member role:', error);
}
},
[activeRoomId],
);
@ -1113,12 +1128,16 @@ export function RoomProvider({
await client.messageUpdate(messageId, content);
}
} catch (err) {
// Rollback: if we captured the original content, restore it.
// If the message was already gone (e.g. concurrent delete), there's nothing to rollback.
if (rollbackContent !== null) {
setMessages((prev) =>
prev.map((m) =>
m.id === messageId ? { ...m, content: rollbackContent!, display_content: rollbackContent! } : m,
),
);
} else {
console.warn('[editMessage] no rollback content available for', messageId);
}
handleRoomError('Edit message', err);
}
@ -1464,7 +1483,7 @@ export function RoomProvider({
wsError,
connectWs,
disconnectWs,
wsClientRef.current,
wsClient,
roomsWithCategory,
roomsLoading,
roomsError,

9
src/lib/room-ws-client.ts
View File

@ -140,7 +140,14 @@ export class RoomWsClient {
/** Update callbacks (e.g. to register onNotification after construction). */
updateCallbacks(callbacks: Partial<RoomWsCallbacks>): void {
Object.assign(this.callbacks, callbacks);
// Merge callbacks but skip undefined values — this prevents one hook's
// cleanup from wiping out another hook's callbacks.
for (const key of Object.keys(callbacks) as (keyof RoomWsCallbacks)[]) {
const val = callbacks[key];
if (val !== undefined) {
(this.callbacks as any)[key] = val;
}
}
}
getWsToken(): string | null {

29
src/lib/universal-ws.ts
View File

@ -28,6 +28,7 @@ export class UniversalWsClient {
private shouldReconnect = true;
private subscribedRooms = new Set<string>();
private wsToken: string | null = null;
private heartbeatTimer: ReturnType<typeof setInterval> | null = null;
constructor(
baseUrl: string,
@ -59,6 +60,7 @@ export class UniversalWsClient {
ws.onopen = () => {
this.reconnectAttempt = 0;
this.setStatus('open');
this.startHeartbeat();
// Re-subscribe to rooms after reconnect
for (const roomId of this.subscribedRooms) {
@ -81,6 +83,7 @@ export class UniversalWsClient {
ws.onclose = (ev: CloseEvent) => {
this.ws = null;
this.stopHeartbeat();
this.setStatus('closed');
// Reject all pending requests
@ -190,7 +193,9 @@ export class UniversalWsClient {
const baseDelay = this.options.reconnectBaseDelay ?? 1000;
const maxDelay = this.options.reconnectMaxDelay ?? 15000;
const delay = Math.min(baseDelay * 2 ** this.reconnectAttempt, maxDelay);
// Exponential backoff with full jitter to prevent thundering herd.
const cap = Math.min(baseDelay * 2 ** this.reconnectAttempt, maxDelay);
const delay = Math.random() * cap;
this.reconnectAttempt++;
this.reconnectTimer = setTimeout(() => {
@ -200,4 +205,26 @@ export class UniversalWsClient {
});
}, delay);
}
private startHeartbeat(): void {
this.stopHeartbeat();
this.heartbeatTimer = setInterval(() => {
if (this.ws?.readyState === WebSocket.OPEN) {
// Lightweight ping — if the server doesn't support pong,
// the connection will still be validated by the readystate check.
try {
this.ws.send(JSON.stringify({ type: 'ping' }));
} catch {
// If send fails, the next cycle will detect the dead connection.
}
}
}, 30_000);
}
private stopHeartbeat(): void {
if (this.heartbeatTimer) {
clearInterval(this.heartbeatTimer);
this.heartbeatTimer = null;
}
}
}