MrSphay/intelligence-terminal
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity

Triage and fix Security Scan suspicious-pattern failures #21

New Issue
Open
opened 2026-05-17 12:10:26 +00:00 by MrSphay · 0 comments
MrSphay commented 2026-05-17 12:10:26 +00:00
Owner
Copy Link

Created from Gitea runner evidence after reviewing existing issues #1-#19.

Runner evidence:

Current status: the security scan flags a mix of likely-real DOM injection risks and expected/false-positive code patterns:

  • dashboard/public/jarvis.html: multiple innerHTML sinks, including popup/body/panel rendering paths that can receive sweep/feed/OSINT-derived content.
  • dashboard/public/loading.html: boot text uses innerHTML.
  • server.mjs and dashboard/inject.mjs: child_process.exec for browser auto-open paths.
  • lib/intelligence-store.mjs and source parsers: .exec(...) or regex .exec(...) matches that are not shell execution.

Acceptance criteria:

  • Audit every innerHTML sink and replace feed/sweep/user-derived rendering with extContent, DOM builders, or an explicit escaping helper.
  • Keep intentionally static template rendering documented and constrained.
  • Replace or tightly justify child_process.exec browser-open usage; prefer execFile/argument arrays where possible, or document why gated AUTO_OPEN_BROWSER=false is acceptable.
  • Update security-scan.yml to reduce false positives for RegExp.exec and SQLite db.exec while continuing to catch shell execution and unsafe DOM writes.
  • Re-run the Gitea Security Scan and require it to pass.
Created from Gitea runner evidence after reviewing existing issues #1-#19. Runner evidence: - Workflow: security-scan.yml@refs/heads/codex/production-intelligence-terminal - Run: https://git.wilkensxl.de/MrSphay/intelligence-terminal/actions/runs/60 - Job runner: global-runner-3 - Result: pm audit --omit=dev --audit-level=high passed with 0 vulnerabilities, then the suspicious-pattern scan failed. Current status: the security scan flags a mix of likely-real DOM injection risks and expected/false-positive code patterns: - dashboard/public/jarvis.html: multiple innerHTML sinks, including popup/body/panel rendering paths that can receive sweep/feed/OSINT-derived content. - dashboard/public/loading.html: boot text uses innerHTML. - server.mjs and dashboard/inject.mjs: child_process.exec for browser auto-open paths. - lib/intelligence-store.mjs and source parsers: .exec(...) or regex .exec(...) matches that are not shell execution. Acceptance criteria: - Audit every innerHTML sink and replace feed/sweep/user-derived rendering with extContent, DOM builders, or an explicit escaping helper. - Keep intentionally static template rendering documented and constrained. - Replace or tightly justify child_process.exec browser-open usage; prefer execFile/argument arrays where possible, or document why gated AUTO_OPEN_BROWSER=false is acceptable. - Update security-scan.yml to reduce false positives for RegExp.exec and SQLite db.exec while continuing to catch shell execution and unsafe DOM writes. - Re-run the Gitea Security Scan and require it to pass.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
design-revert
Reverts visual/design changes
 enhancement
New feature or product improvement
 frontend-redesign
Frontend redesign and app-shell/UI work
 marketing-finalization
Product presentation, README, packaging metadata, and customer-facing communication.
 product
User-facing product capability or workflow
 research
Research-originated product idea ready for implementation design
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
MrSphay
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: MrSphay/intelligence-terminal#21
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?