## Context Follow-up items identified during PR #52 code review (Copilot + Gemini). ## Tasks ### Security - [ ] `commands.rs:912` — Misleading error message in `entry.get_password()` ([review](https://github.com/tokamak-network/ethrex/pull/52#discussion_r2929430140)) - [ ] `server.js:15` — Permissive CORS (`origin: true` + credentials) allows arbitrary web pages to call local server ([review](https://github.com/tokamak-network/ethrex/pull/52#discussion_r2929404174)) - [ ] `server.js:100` — Shell command injection via user-provided URL in `exec()` ([review](https://github.com/tokamak-network/ethrex/pull/52#discussion_r2929404185)) - [ ] `routes/fs.js:12` — Directory enumeration via user-controlled `path` query param ([review](https://github.com/tokamak-network/ethrex/pull/52#discussion_r2929404202)) ### Code Quality - [ ] `ipfs.ts:9` — Hardcoded Pinata API/Gateway URLs → move to environment variables ([review](https://github.com/tokamak-network/ethrex/pull/52#discussion_r2929430159)) - [ ] `ipfs.ts:33,62` — Empty catch blocks hiding JSON parsing errors ([review](https://github.com/tokamak-network/ethrex/pull/52#discussion_r2929430162), [review](https://github.com/tokamak-network/ethrex/pull/52#discussion_r2929430165)) - [ ] `L2DetailPublishTab.tsx:165,173` — Hardcoded `localhost` URLs for L1/L2 RPC ([review](https://github.com/tokamak-network/ethrex/pull/52#discussion_r2929430150), [review](https://github.com/tokamak-network/ethrex/pull/52#discussion_r2929487792)) - [ ] `L2DetailPublishTab.tsx:377` — Hardcoded `localhost` fallback for `l1RpcUrl` ([review](https://github.com/tokamak-network/ethrex/pull/52#discussion_r2929487804)) - [ ] `L2DetailPublishTab.tsx:117` — Sequential screenshot uploads → parallelize with `Promise.all()` ([review](https://github.com/tokamak-network/ethrex/pull/52#discussion_r2929487801)) - [ ] `test-e2e-fork.js:107` — `res.json()` not awaited, `data.deployment` always undefined ([review](https://github.com/tokamak-network/ethrex/pull/52#discussion_r2929404217)) - [ ] `test-e2e-fork.js:22` — Hardcoded RPC credential → move to env var ([review](https://github.com/tokamak-network/ethrex/pull/52#discussion_r2929404225)) - [ ] `docker-remote.js:62` — Timeout timer never cleared after command completes ([review](https://github.com/tokamak-network/ethrex/pull/52#discussion_r2929404233)) - [ ] `server.js:37,41` — `PLATFORM_API` default URL mismatch with docs ([review](https://github.com/tokamak-network/ethrex/pull/52#discussion_r2929404249), [review](https://github.com/tokamak-network/ethrex/pull/52#discussion_r2929404261)) - [ ] `dev.sh:44` — Missing `pnpm` prerequisite check ([review](https://github.com/tokamak-network/ethrex/pull/52#discussion_r2929404273)) ## Related - PR #52
Context
Follow-up items identified during PR #52 code review (Copilot + Gemini).
Tasks
Security
commands.rs:912— Misleading error message inentry.get_password()(review)server.js:15— Permissive CORS (origin: true+ credentials) allows arbitrary web pages to call local server (review)server.js:100— Shell command injection via user-provided URL inexec()(review)routes/fs.js:12— Directory enumeration via user-controlledpathquery param (review)Code Quality
ipfs.ts:9— Hardcoded Pinata API/Gateway URLs → move to environment variables (review)ipfs.ts:33,62— Empty catch blocks hiding JSON parsing errors (review, review)L2DetailPublishTab.tsx:165,173— HardcodedlocalhostURLs for L1/L2 RPC (review, review)L2DetailPublishTab.tsx:377— Hardcodedlocalhostfallback forl1RpcUrl(review)L2DetailPublishTab.tsx:117— Sequential screenshot uploads → parallelize withPromise.all()(review)test-e2e-fork.js:107—res.json()not awaited,data.deploymentalways undefined (review)test-e2e-fork.js:22— Hardcoded RPC credential → move to env var (review)docker-remote.js:62— Timeout timer never cleared after command completes (review)server.js:37,41—PLATFORM_APIdefault URL mismatch with docs (review, review)dev.sh:44— Missingpnpmprerequisite check (review)Related