fix(security): audit fixes — storage masking defaults, page-bridge target origin, CI permissions#362
Merged
Merged
Conversation
…gin, CI permissions Security audit fixes: - storage source: mask secret-looking keys (token/secret/password/auth/jwt/ api-key/credential/session-id/cookie/private) by default via new maskSensitiveKeys option (default true). Previously all localStorage keys — including auth tokens — were captured verbatim into AI context unless the app explicitly configured omitKeys/maskKeys. - mcp page bridge: never post responses with a wildcard '*' targetOrigin. Previously an empty event.origin fell back to '*', which could broadcast context packets to any origin. Now falls back to the bridge window's own origin and drops the response when no origin is known, with a regression test. - CI: add least-privilege permissions (contents: read) to the three workflows that ran with default token permissions (test_unit, test_e2e, static_quality).
icon-light-32x32.png and icon-dark-32x32.png were byte-identical 182KB copies of avatar.png (not actually 32x32) and referenced nowhere in the repo.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
@askable-ui/angular
@askable-ui/context
@askable-ui/core
@askable-ui/create-app
@askable-ui/mcp
@askable-ui/qwik
@askable-ui/react
@askable-ui/react-native
@askable-ui/solid
@askable-ui/svelte
@askable-ui/vue
@askable-ui/web-component
commit: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Full-repo security + bloat audit. Three confirmed issues fixed, one bloat cleanup, and a clean bill of health on the rest (details below).
Fixes
1. Storage source captured secrets by default (privacy, medium-high)
createAskableStorageSource()with no options captured every localStorage key verbatim — auth tokens, JWTs, session ids — straight into AI context / MCP responses. NewmaskSensitiveKeysoption (defaulttrue) masks values whose keys match token/secret/password/auth/jwt/api-key/credential/session-id/cookie/private, composing with the existingmaskKeys. Opt out withmaskSensitiveKeys: false. 4 new tests (incl. masking even for explicitly-listed keys).2. Page bridge could post packets with
targetOrigin: '*'(medium)resolveAskableMcpPageBridgeTargetOriginfell back to'*'whenevent.originwas empty — the classic postMessage broadcast leak for exactly the data this library exists to protect. Now falls back to the bridge window's own origin and drops the response entirely when no origin is known. Regression test added.3. Three CI workflows ran with default token permissions (low)
test_unit.yml,test_e2e.yml,static_quality.ymlhad nopermissions:block. Added least-privilegecontents: read(matching the already-hardened publish workflows).4. Bloat: 364 KB of unreferenced duplicate assets
examples/analytics-dashboard-react/public/icon-{light,dark}-32x32.pngwere byte-identical 182 KB copies ofavatar.png(not actually 32×32), referenced nowhere. Deleted.Audited and clean (no action needed)
innerHTML/insertAdjacentHTML/document.write/eval/new Function/dangerouslySetInnerHTMLin any package source; capture/selection/inspector overlays build DOM exclusively viacreateElement+textContent; React/Solid inspectors render via JSX/text.data-askableJSON is spread shallowly, never deep-merged.github.event.*interpolation goes throughenv:indirection (no script injection); publish uses OIDC provenance with minimal permissions; nopull_request_target.npm audit --omit=dev— 0 vulnerabilities.node_modules/.DS_Store/build artifacts; docs pages all reachable from the sidebar; no unused package dependencies found; create-app templates carry no lockfiles.Notes (flagged, deliberately not changed)
site/www/askable-ui-code.mp4(6.5 MB) is the largest blob in git — it's the in-use product video; consider hosting via release assets/CDN if repo size becomes a concern.Test plan
🤖 Generated with Claude Code
Generated by Claude Code