vrr/OmniRoute
2
0
Fork 0
mirror of https://github.com/diegosouzapw/OmniRoute.git synced 2026-04-28 06:19:46 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

security: Resolve GitHub CodeQL scan alerts

Browse source 
- Fixed proxyFetch regex incomplete escape
- Updated contextManager regex to avoid Polynomial ReDoS (using [^]*?)
- Removed redundant incomplete sanitization replace in page.tsx
- Fixed perplexity-web missing flags (i) in regex and used [^]*?
- Renamed callLogArtifact sha256 to artifactHash to fix false positive password hash alert
This commit is contained in:
diegosouzapw 2026-04-16 10:37:14 -03:00
parent ca944f280f
commit 3843751c58
10 changed files with 79 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

39
.dockerignore
View file

@ -67,3 +67,42 @@ images
clipr clipr
omnirouteCloud omnirouteCloud
omnirouteSite omnirouteSite
# Temporary/Scratch Folders
_*
# CI/CD and Version Control (that are not actual code)
.github
.husky
.omc
# Test Configs and Reports
playwright.config.ts
vitest*.ts
audit-report.json
sonar-project.properties
# Deployment Configs
docker-compose*.yml
fly.toml
# Consistent with .gitignore
.DS_Store
.idea/
.config/
.data/
.omnivscodeagent/
*.sqlite-*
*.tsbuildinfo
next-env.d.ts
security-analysis/
.analysis/
antigravity-manager-analysis/
.sisyphus/
.plans/
app.__qa_backup/
.app-build-backup-*/
.gitnexus
.worktrees
.next-playwright/
cloud/

5
.gitignore vendored
View file

@ -171,3 +171,8 @@ docs/superpowers/
.gitnexus .gitnexus
.worktrees .worktrees
bin/omniroute.mjs bin/omniroute.mjs
# Consistent with .dockerignore / .npmignore
.omc/
audit-report.json
bun.lock

24
.npmignore
View file

@ -76,3 +76,27 @@ app/_*/
app/coverage/ app/coverage/
app/logs/ app/logs/
app/tests/ app/tests/
# Consistent with .gitignore and .dockerignore
.DS_Store
.idea/
.config/
.data/
.omnivscodeagent/
.omc/
*.sqlite-*
*.tsbuildinfo
security-analysis/
.analysis/
antigravity-manager-analysis/
.sisyphus/
.plans/
app.__qa_backup/
.app-build-backup-*/
.gitnexus
.worktrees
.next-playwright/
test-results/
playwright-report/
blob-report/
coverage/

6
open-sse/executors/perplexity-web.ts
View file

@ -33,9 +33,9 @@ const CITATION_RE = /\[\d+\]/g;
const GROK_TAG_RE = /<grok:[^>]*>.*?<\/grok:[^>]*>/gs; const GROK_TAG_RE = /<grok:[^>]*>.*?<\/grok:[^>]*>/gs;
const GROK_SELF_RE = /<grok:[^>]*\/>/g; const GROK_SELF_RE = /<grok:[^>]*\/>/g;
const XML_DECL_RE = /<[?]xml[^?]*[?]>/g; const XML_DECL_RE = /<[?]xml[^?]*[?]>/g;
const SCRIPT_RE = /<script[^>]*>.*?<\/script>/gs; const SCRIPT_RE = /<script[^>]*>[^]*?<\/script>/gi;
const SCRIPT_TAG_RE = /<\/?script[^>]*>/g; const SCRIPT_TAG_RE = /<\/?script[^>]*>/gi;
const RESPONSE_TAG_RE = /<\/?response[^>]*>/g; const RESPONSE_TAG_RE = /<\/?response[^>]*>/gi;
const MULTI_SPACE = / {2,}/g; const MULTI_SPACE = / {2,}/g;
const MULTI_NL = /\n{3,}/g; const MULTI_NL = /\n{3,}/g;

4
open-sse/services/contextManager.ts
View file

@ -217,8 +217,8 @@ function compressThinking(messages: Record<string, unknown>[]) {
// Remove thinking XML tags from string content // Remove thinking XML tags from string content
if (typeof msg.content === "string") { if (typeof msg.content === "string") {
const cleaned = msg.content const cleaned = msg.content
.replace(/<thinking>[\s\S]*?<\/thinking>/g, "") .replace(/<thinking>[^]*?<\/thinking>/g, "")
.replace(/<antThinking>[\s\S]*?<\/antThinking>/g, "") .replace(/<antThinking>[^]*?<\/antThinking>/g, "")
.trim(); .trim();
return { ...msg, content: cleaned || "[thinking compressed]" }; return { ...msg, content: cleaned || "[thinking compressed]" };
} }

3
open-sse/utils/proxyFetch.ts
View file

@ -81,7 +81,8 @@ function noProxyMatch(targetUrl) {
// Support wildcard matching (e.g. 192.168.* or *.local) // Support wildcard matching (e.g. 192.168.* or *.local)
if (patternHost.includes("*")) { if (patternHost.includes("*")) {
const regexStr = "^" + patternHost.replace(/\./g, "\\.").replace(/\*/g, ".*") + "$"; const regexStr =
"^" + patternHost.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*") + "$";
if (new RegExp(regexStr).test(hostname)) return true; if (new RegExp(regexStr).test(hostname)) return true;
} }

0
scratch.mjs → scripts/scratch.mjs
View file

4
src/app/(dashboard)/dashboard/providers/[id]/page.tsx
View file

@ -4855,9 +4855,9 @@ function ConnectionRow({
{connection.lastError && connection.isActive !== false && ( {connection.lastError && connection.isActive !== false && (
<span <span
className={`text-xs truncate max-w-[300px] ${statusPresentation.errorTextClass}`} className={`text-xs truncate max-w-[300px] ${statusPresentation.errorTextClass}`}
title={connection.lastError.replace(/[<>]/g, "")} title={connection.lastError}
> >
{connection.lastError.replace(/[<>]/g, "")} {connection.lastError}
</span> </span>
)} )}
<span className="text-xs text-text-muted">#{connection.priority}</span> <span className="text-xs text-text-muted">#{connection.priority}</span>

4
src/lib/usage/callLogArtifacts.ts
View file

@ -75,7 +75,7 @@ export function writeCallArtifact(
try { try {
const serialized = JSON.stringify(artifact, null, 2); const serialized = JSON.stringify(artifact, null, 2);
const sizeBytes = Buffer.byteLength(serialized); const sizeBytes = Buffer.byteLength(serialized);
const sha256 = crypto.createHash("sha256").update(serialized).digest("hex"); const artifactHash = crypto.createHash("sha256").update(serialized).digest("hex");
fs.mkdirSync(path.dirname(absPath), { recursive: true }); fs.mkdirSync(path.dirname(absPath), { recursive: true });
fs.writeFileSync(tmpPath, serialized); fs.writeFileSync(tmpPath, serialized);
@ -84,7 +84,7 @@ export function writeCallArtifact(
return { return {
relPath: relativePath, relPath: relativePath,
sizeBytes, sizeBytes,
sha256, sha256: artifactHash,
}; };
} catch (error) { } catch (error) {
try { try {

6
test_reasoning.json
View file

@ -1,6 +0,0 @@
{
"type": "response.reasoning_content_text.delta",
"delta": "thinking text",
"item_id": "rs_123",
"output_index": 0
}