security: Resolve GitHub CodeQL scan alerts

- Fixed proxyFetch regex incomplete escape - Updated contextManager regex to avoid Polynomial ReDoS (using [^]*?) - Removed redundant incomplete sanitization replace in page.tsx - Fixed perplexity-web missing flags (i) in regex and used [^]*? - Renamed callLogArtifact sha256 to artifactHash to fix false positive password hash alert
2026-04-26 13:31:00 +00:00 · 2026-04-16 10:37:14 -03:00 · 2026-04-16 10:37:14 -03:00 · 3843751c58
commit 3843751c58
parent ca944f280f
10 changed files with 79 additions and 16 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -67,3 +67,42 @@ images
 clipr
 omnirouteCloud
 omnirouteSite
+
+# Temporary/Scratch Folders
+_*
+
+# CI/CD and Version Control (that are not actual code)
+.github
+.husky
+.omc
+
+# Test Configs and Reports
+playwright.config.ts
+vitest*.ts
+audit-report.json
+sonar-project.properties
+
+# Deployment Configs
+docker-compose*.yml
+fly.toml
+
+# Consistent with .gitignore
+.DS_Store
+.idea/
+.config/
+.data/
+.omnivscodeagent/
+*.sqlite-*
+*.tsbuildinfo
+next-env.d.ts
+security-analysis/
+.analysis/
+antigravity-manager-analysis/
+.sisyphus/
+.plans/
+app.__qa_backup/
+.app-build-backup-*/
+.gitnexus
+.worktrees
+.next-playwright/
+cloud/
--- a/.gitignore
+++ b/.gitignore
@ -171,3 +171,8 @@ docs/superpowers/
 .gitnexus
 .worktrees
 bin/omniroute.mjs
+
+# Consistent with .dockerignore / .npmignore
+.omc/
+audit-report.json
+bun.lock
--- a/.npmignore
+++ b/.npmignore
@ -76,3 +76,27 @@ app/_*/
 app/coverage/
 app/logs/
 app/tests/
+
+# Consistent with .gitignore and .dockerignore
+.DS_Store
+.idea/
+.config/
+.data/
+.omnivscodeagent/
+.omc/
+*.sqlite-*
+*.tsbuildinfo
+security-analysis/
+.analysis/
+antigravity-manager-analysis/
+.sisyphus/
+.plans/
+app.__qa_backup/
+.app-build-backup-*/
+.gitnexus
+.worktrees
+.next-playwright/
+test-results/
+playwright-report/
+blob-report/
+coverage/
--- a/open-sse/executors/perplexity-web.ts
+++ b/open-sse/executors/perplexity-web.ts
@ -33,9 +33,9 @@ const CITATION_RE = /\[\d+\]/g;
 const GROK_TAG_RE = /<grok:[^>]*>.*?<\/grok:[^>]*>/gs;
 const GROK_SELF_RE = /<grok:[^>]*\/>/g;
 const XML_DECL_RE = /<[?]xml[^?]*[?]>/g;
-const SCRIPT_RE = /<script[^>]*>.*?<\/script>/gs;
-const SCRIPT_TAG_RE = /<\/?script[^>]*>/g;
-const RESPONSE_TAG_RE = /<\/?response[^>]*>/g;
+const SCRIPT_RE = /<script[^>]*>[^]*?<\/script>/gi;
+const SCRIPT_TAG_RE = /<\/?script[^>]*>/gi;
+const RESPONSE_TAG_RE = /<\/?response[^>]*>/gi;
 const MULTI_SPACE = / {2,}/g;
 const MULTI_NL = /\n{3,}/g;

--- a/open-sse/services/contextManager.ts
+++ b/open-sse/services/contextManager.ts
@ -217,8 +217,8 @@ function compressThinking(messages: Record<string, unknown>[]) {
    // Remove thinking XML tags from string content
    if (typeof msg.content === "string") {
      const cleaned = msg.content
-        .replace(/<thinking>[\s\S]*?<\/thinking>/g, "")
-        .replace(/<antThinking>[\s\S]*?<\/antThinking>/g, "")
+        .replace(/<thinking>[^]*?<\/thinking>/g, "")
+        .replace(/<antThinking>[^]*?<\/antThinking>/g, "")
        .trim();
      return { ...msg, content: cleaned || "[thinking compressed]" };
    }
--- a/open-sse/utils/proxyFetch.ts
+++ b/open-sse/utils/proxyFetch.ts
@ -81,7 +81,8 @@ function noProxyMatch(targetUrl) {

    // Support wildcard matching (e.g. 192.168.* or *.local)
    if (patternHost.includes("*")) {
-      const regexStr = "^" + patternHost.replace(/\./g, "\\.").replace(/\*/g, ".*") + "$";
+      const regexStr =
+        "^" + patternHost.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*") + "$";
      if (new RegExp(regexStr).test(hostname)) return true;
    }

--- a/scripts/scratch.mjs
+++ b/scripts/scratch.mjs
--- a/src/app/(dashboard)/dashboard/providers/[id]/page.tsx
+++ b/src/app/(dashboard)/dashboard/providers/[id]/page.tsx
@ -4855,9 +4855,9 @@ function ConnectionRow({
            {connection.lastError && connection.isActive !== false && (
              <span
                className={`text-xs truncate max-w-[300px] ${statusPresentation.errorTextClass}`}
-                title={connection.lastError.replace(/[<>]/g, "")}
+                title={connection.lastError}
              >
-                {connection.lastError.replace(/[<>]/g, "")}
+                {connection.lastError}
              </span>
            )}
            <span className="text-xs text-text-muted">#{connection.priority}</span>
--- a/src/lib/usage/callLogArtifacts.ts
+++ b/src/lib/usage/callLogArtifacts.ts
@ -75,7 +75,7 @@ export function writeCallArtifact(
  try {
    const serialized = JSON.stringify(artifact, null, 2);
    const sizeBytes = Buffer.byteLength(serialized);
-    const sha256 = crypto.createHash("sha256").update(serialized).digest("hex");
+    const artifactHash = crypto.createHash("sha256").update(serialized).digest("hex");

    fs.mkdirSync(path.dirname(absPath), { recursive: true });
    fs.writeFileSync(tmpPath, serialized);
@ -84,7 +84,7 @@ export function writeCallArtifact(
    return {
      relPath: relativePath,
      sizeBytes,
-      sha256,
+      sha256: artifactHash,
    };
  } catch (error) {
    try {
--- a/test_reasoning.json
+++ b/test_reasoning.json
@ -1,6 +0,0 @@
-{
-  "type": "response.reasoning_content_text.delta",
-  "delta": "thinking text",
-  "item_id": "rs_123",
-  "output_index": 0
-}