Skip to content

v4.15.1 — CodeQL Security Fixes

Choose a tag to compare

View all tags
@Jovancoding Jovancoding released this 03 Apr 23:20
· 19 commits to main since this release
v4.15.1
6744323

Fixed

  • *CodeQL #105 — ReDoS in \parsePlanJSON()* (\lib/goal-decomposer.ts): Replaced ambiguous regex with indexOf-based code-fence stripping to eliminate polynomial backtracking.
  • CodeQL #106 — TOCTOU race in postinstall (\scripts/postinstall.js): Replaced \existsSync\ →
    eadFileSync\ → \writeFileSync\ with \openSync('r+')\ +
    eadFileSync(fd)\ + \ truncateSync\ + \writeSync\ to eliminate time-of-check-to-time-of-use race.
  • ReDoS in InputSanitizer (\security.ts): Replaced <script[\s\S]?>[\s\S]?</script>\ (nested quantifiers) with <script\b[^>]>[\s\S]?</script>\ (unambiguous).
  • Shell injection risk in NemoClawAdapter (\�dapters/nemoclaw-adapter.ts): Replaced \command.split(' ')\ with \ okenizeCommand()\ helper respecting quoted arguments.

Full test suite: 2,357 tests across 25 suites, all passing.

Assets 2
Loading