gitdataai

History

ZhenYi bdb5393835 fix: resolve 30+ bugs from security audit Critical: - CORS: replace allow_any_origin + credentials with env-configured origins - XSS: escape HTML before dangerouslySetInnerHTML in search results - Path traversal: sanitize storage keys to reject ".." components - Auth missing: add Session requirement to git init/open/is-repo endpoints - Transaction: wrap issue cascade delete in DB transaction High: - Mutex poisoning: replace unwrap() with poison-recovering guards - Drop tokio::spawn: use runtime handle or fallback thread for lock release - Redis KEYS: replace with non-blocking SCAN for typing events - SSH panic: handle missing stdin/stdout/stderr gracefully - LFS auth: remove x-user-uid header injection vector, generate per-request tokens Medium: - Memory leak: remove Box::leak in provider normalization - Race conditions: query closed count directly instead of subtraction - Silent failures: add tracing::warn for AI tasks, room events, activity logs - Frontend nav: sync activeRoomId when initialRoomId prop changes - Duplicate nav: remove redundant setActiveRoom in delete handler - Callback conflict: skip undefined values in updateCallbacks merge - Stale closure: use wsClient state instead of wsClientRef.current in useMemo Low: - Captcha: validate captcha not empty before login submission - Broadcast capacity: reduce from 100K to 1000 - Error handling: add try/catch for removeMember and updateMemberRole - Loading state: show placeholder instead of null in RepositoryContextProvider - WebSocket: add heartbeat ping and jitter to reconnect backoff	2026-04-27 10:57:23 +08:00
..
src	fix: resolve 30+ bugs from security audit	2026-04-27 10:57:23 +08:00
Cargo.toml	feat(observability): Phase 6 OTLP tracing + Prometheus metrics endpoint	2026-04-22 10:27:54 +08:00

ZhenYi bdb5393835 fix: resolve 30+ bugs from security audit

Critical:
- CORS: replace allow_any_origin + credentials with env-configured origins
- XSS: escape HTML before dangerouslySetInnerHTML in search results
- Path traversal: sanitize storage keys to reject ".." components
- Auth missing: add Session requirement to git init/open/is-repo endpoints
- Transaction: wrap issue cascade delete in DB transaction

High:
- Mutex poisoning: replace unwrap() with poison-recovering guards
- Drop tokio::spawn: use runtime handle or fallback thread for lock release
- Redis KEYS: replace with non-blocking SCAN for typing events
- SSH panic: handle missing stdin/stdout/stderr gracefully
- LFS auth: remove x-user-uid header injection vector, generate per-request tokens

Medium:
- Memory leak: remove Box::leak in provider normalization
- Race conditions: query closed count directly instead of subtraction
- Silent failures: add tracing::warn for AI tasks, room events, activity logs
- Frontend nav: sync activeRoomId when initialRoomId prop changes
- Duplicate nav: remove redundant setActiveRoom in delete handler
- Callback conflict: skip undefined values in updateCallbacks merge
- Stale closure: use wsClient state instead of wsClientRef.current in useMemo

Low:
- Captcha: validate captcha not empty before login submission
- Broadcast capacity: reduce from 100K to 1000
- Error handling: add try/catch for removeMember and updateMemberRole
- Loading state: show placeholder instead of null in RepositoryContextProvider
- WebSocket: add heartbeat ping and jitter to reconnect backoff

2026-04-27 10:57:23 +08:00

src

fix: resolve 30+ bugs from security audit

2026-04-27 10:57:23 +08:00

Cargo.toml

feat(observability): Phase 6 OTLP tracing + Prometheus metrics endpoint

2026-04-22 10:27:54 +08:00