ZhenYi/gitdataai
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
bdb5393835
gitdataai/libs
History
ZhenYi bdb5393835 fix: resolve 30+ bugs from security audit 
Critical:
- CORS: replace allow_any_origin + credentials with env-configured origins
- XSS: escape HTML before dangerouslySetInnerHTML in search results
- Path traversal: sanitize storage keys to reject ".." components
- Auth missing: add Session requirement to git init/open/is-repo endpoints
- Transaction: wrap issue cascade delete in DB transaction

High:
- Mutex poisoning: replace unwrap() with poison-recovering guards
- Drop tokio::spawn: use runtime handle or fallback thread for lock release
- Redis KEYS: replace with non-blocking SCAN for typing events
- SSH panic: handle missing stdin/stdout/stderr gracefully
- LFS auth: remove x-user-uid header injection vector, generate per-request tokens

Medium:
- Memory leak: remove Box::leak in provider normalization
- Race conditions: query closed count directly instead of subtraction
- Silent failures: add tracing::warn for AI tasks, room events, activity logs
- Frontend nav: sync activeRoomId when initialRoomId prop changes
- Duplicate nav: remove redundant setActiveRoom in delete handler
- Callback conflict: skip undefined values in updateCallbacks merge
- Stale closure: use wsClient state instead of wsClientRef.current in useMemo

Low:
- Captcha: validate captcha not empty before login submission
- Broadcast capacity: reduce from 100K to 1000
- Error handling: add try/catch for removeMember and updateMemberRole
- Loading state: show placeholder instead of null in RepositoryContextProvider
- WebSocket: add heartbeat ping and jitter to reconnect backoff
2026-04-27 10:57:23 +08:00
..
agent feat(room): inject repository details into AI system prompt on mention 2026-04-26 23:58:52 +08:00
agent-tool-derive
api fix: resolve 30+ bugs from security audit 2026-04-27 10:57:23 +08:00
avatar
config refactor(db): simplify read-replica to single connection for CNPG 2026-04-26 01:03:39 +08:00
db revert(db): remove check_compatibility — method not available in sqlx 0.8 2026-04-26 15:49:51 +08:00
email feat: add health endpoints and Prometheus metrics to git-hook and email-worker 2026-04-25 23:45:48 +08:00
fctool refactor(fctool): extract tool modules into standalone fctool crate 2026-04-26 23:58:16 +08:00
frontend feat(api): pre-compress static assets with brotli and gzip 2026-04-25 20:09:09 +08:00
git fix: resolve 30+ bugs from security audit 2026-04-27 10:57:23 +08:00
migrate feat: thinking_content column + first-project budget logic 2026-04-26 13:11:06 +08:00
models feat: thinking_content column + first-project budget logic 2026-04-26 13:11:06 +08:00
observability feat(observability): use human-readable log format for terminals 2026-04-26 16:39:03 +08:00
queue feat(room): store ordered streaming chunks + billing integration 2026-04-26 13:10:42 +08:00
room fix: resolve 30+ bugs from security audit 2026-04-27 10:57:23 +08:00
rpc chore(rpc): regenerate after removing metrics endpoints 2026-04-24 13:22:01 +08:00
service fix: resolve 30+ bugs from security audit 2026-04-27 10:57:23 +08:00
session feat(admin): add admin panel with billing alerts and model sync 2026-04-19 20:48:59 +08:00
session_manager perf: sequence generation Redis-only + session MGET batch 2026-04-24 00:04:27 +08:00
transport
webhook