Skip to content

security: fix XSS, window.opener exposure, and Electron CSP#185

Merged
AdamJ merged 2 commits into
mainfrom
security-audit
Jun 18, 2026
Merged

security: fix XSS, window.opener exposure, and Electron CSP#185
AdamJ merged 2 commits into
mainfrom
security-audit

Conversation

@AdamJ

@AdamJ AdamJ commented Jun 18, 2026
edited
Loading

Copy link
Copy Markdown
Owner

Summary

Security audit + Dependabot remediation. Two categories of changes:

Code fixes (code review required):

  • Sanitize contactWebsite URLs via URL() — blocks javascript: URI injection
  • Add rel="noopener noreferrer" to all target="_blank" sidebar links
  • Tighten Electron CSP: remove 'unsafe-inline' and 'unsafe-eval' from script-src

Dependency upgrades (Dependabot alerts):

  • vitest 1.6.1 → 3.2.6 (CRITICAL: arbitrary file read via UI server)
  • vite 5.4.21 → 6.4.3 (HIGH: server.fs.deny bypass, NTLMv2 disclosure on Windows)
  • react-router-dom floor raised to ^6.30.4 (MEDIUM: open redirect)
  • hono pinned to 4.12.25 as direct devDep (HIGH: CORS, path traversal, Lambda issues)
  • form-data pinned to 4.0.6 as direct devDep (HIGH: CRLF injection)
  • .npmrc added: only-built-dependencies allowlist for pnpm v10

Type of Change

  • New feature
  • Update to existing feature
  • Bug fix
  • Documentation update
  • Other (security fixes + dependency upgrades)

Related Issue

Closes #

Changes Made

  • src/components/ClientManagement.tsx — URL sanitization via URL() before rendering href
  • src/components/AppSidebar.tsxrel="noopener noreferrer" on all target="_blank" links
  • electron/main.ts — CSP script-src tightened to 'self' only
  • package.json — vite, vitest, react-router-dom bumped; hono + form-data pinned as devDeps
  • pnpm-lock.yaml — lockfile regenerated
  • .npmrc — pnpm v10 build script allowlist
  • CHANGELOG.md### Security section for all fixes
  • docs/SECURITY.md — "Dependency Vulnerability Management" and "Frontend Security Controls" sections added

Checklist

Documentation

  • Any notable changes added to the README.md
  • CHANGELOG.md updated accordingly
  • N/A — no README changes needed (no user-facing feature changes)

General

  • Branch is up to date with main
  • No unrelated files included in this PR
  • Tested locally by invoking pnpm lint and pnpm build

Notes for Reviewers

The contactWebsite sanitization uses an IIFE inside JSX to keep the URL validation inline with the render. Can be extracted to a sanitizeUrl utility if preferred.

pnpm's overrides field did not force version bumps for hono and form-data (pnpm resolves to the minimum satisfying version and won't bump it via overrides alone). They are pinned as direct devDependencies as a workaround — this is the correct pattern for pnpm v10.

vite 5 → 6 and vitest 1 → 3 are major version bumps. Both @vitejs/plugin-react-swc and vite-plugin-pwa explicitly support vite 6. pnpm lint and pnpm build pass cleanly. Test suite should be run before merge.

@AdamJ AdamJ added the security For security related issues and fixes label Jun 18, 2026
@github-actions github-actions Bot added the documentation Improvements or additions to documentation label Jun 18, 2026
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jun 18, 2026
edited
Loading

Copy link
Copy Markdown

Deploying timetrackerpro with  Cloudflare Pages  Cloudflare Pages

Latest commit: a4526e3
Status: ✅  Deploy successful!
Preview URL: https://f9601ab2.timetrackerpro.pages.dev
Branch Preview URL: https://security-audit.timetrackerpro.pages.dev

View logs

@AdamJ AdamJ linked an issue Jun 18, 2026 that may be closed by this pull request
Security Audit #184
Closed
2 tasks
@AdamJ AdamJ added this to Timetraked Jun 18, 2026
@github-project-automation github-project-automation Bot moved this to Backlog in Timetraked Jun 18, 2026
AdamJ added 2 commits June 18, 2026 09:37
@AdamJ
security: fix XSS, window.opener exposure, and CSP unsafe directives
25254f4 
- Sanitize client contactWebsite with URL() before rendering as href;
  javascript: and other non-http(s) schemes fall back to plain text
- Add rel="noopener noreferrer" to all target="_blank" sidebar links
- Remove 'unsafe-inline' and 'unsafe-eval' from Electron script-src CSP;
  production build uses only <script type="module">, neither directive
  was needed
@AdamJ
security: resolve Dependabot vulnerabilities via dep upgrades
a4526e3 
- vite 5.4.21 → 6.4.3 (GHSA: server.fs.deny bypass on Windows, NTLMv2 hash)
- vitest 1.6.1 → 3.2.6 (GHSA: arbitrary file read/execute via UI server)
- react-router-dom constraint floor raised to ^6.30.4 (open redirect fix)
- hono pinned to 4.12.25 as direct devDep (CORS, path traversal, Lambda fixes)
- form-data pinned to 4.0.6 as direct devDep (CRLF injection fix)
- .npmrc added to declare build script allowlist for esbuild, @swc/core,
  electron-winstaller, msw (pnpm v10 moved onlyBuiltDependencies from
  package.json#pnpm to .npmrc)
@AdamJ AdamJ moved this from Backlog to In progress in Timetraked Jun 18, 2026
@AdamJ AdamJ self-assigned this Jun 18, 2026
@AdamJ AdamJ merged commit 9787002 into main Jun 18, 2026
3 checks passed
@github-project-automation github-project-automation Bot moved this from In progress to Done in Timetraked Jun 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@AdamJ AdamJ

Labels

documentation Improvements or additions to documentation security For security related issues and fixes

Projects

Timetraked
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security Audit

1 participant

@AdamJ