Skip to content

security: add response headers, escape LIKE wildcards, cap list limit#155

Open
devin-ai-integration[bot] wants to merge 1 commit into
mainfrom
devin/1781644627-security-hardening
Open

security: add response headers, escape LIKE wildcards, cap list limit#155
devin-ai-integration[bot] wants to merge 1 commit into
mainfrom
devin/1781644627-security-hardening

Conversation

@devin-ai-integration

@devin-ai-integration devin-ai-integration Bot commented Jun 16, 2026

Copy link
Copy Markdown

What Changed

Three security hardening fixes from a full codebase audit:

  1. Security headers on all HTTP responses (src/core/server.ts)

    • Extracted the route handler into a standalone handleRequest() function
    • Wrapped it with withSecurityHeaders() that sets X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Referrer-Policy: strict-origin-when-cross-origin, and Permissions-Policy: camera=(), microphone=(), geolocation=()
    • Existing per-route headers (e.g. the attachment CSP sandbox) are preserved — the wrapper skips headers already set

  2. LIKE wildcard escape in sessions search (src/ui/api/sessions.ts)

    • The buildWhere() helper passes user input directly into a LIKE '%...%' pattern
    • % and _ metacharacters are now escaped with backslash + ESCAPE '\' clause so search behaves as literal substring match

  3. Cap chat session list limit parameter (src/chat/http.ts)

    • Previously Number(url.searchParams.get("limit")) || 50 with no upper bound
    • Now clamped to [1, 200] to prevent resource exhaustion

Why

Addresses findings from a security scan across 7 categories (hardcoded secrets, SQL injection, unvalidated input, insecure dependencies, CORS, debug endpoints, missing auth). The codebase is well-secured overall — parameterized queries, SSRF-safe callback validation, HMAC webhook signatures, bearer+scope MCP auth, cookie auth on UI routes, path traversal defense. These three fixes harden the remaining medium-severity gaps.

How I Tested

bun run lint      # ✓ biome check passes
bun run typecheck # ✓ tsc --noEmit passes

Checklist

  • Tests pass (bun test)
  • Lint passes (bun run lint)
  • Typecheck passes (bun run typecheck)
  • No secrets or .env files included
  • Files stay under 300 lines
  • No Cardinal Rule violations (TypeScript does plumbing only, the Agent SDK does reasoning)
  • No default exports or barrel files added

Link to Devin session: https://app.devin.ai/sessions/538071d859f94ccba624cae67a12ad6b
Requested by: @mcheemaa

@mcheemaa @devin-ai-integration
security: add response headers, escape LIKE wildcards, cap list limit
47e4522 
- Add X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and
  Permissions-Policy headers to all HTTP responses via a centralized
  withSecurityHeaders() wrapper in the Bun.serve() fetch handler.

- Escape SQL LIKE metacharacters (%, _, \) in the sessions search
  query parameter to prevent wildcard injection in the admin UI search.

- Cap the chat session list limit parameter to [1, 200] to prevent
  resource exhaustion from unbounded queries.

Co-Authored-By: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
@devin-ai-integration

devin-ai-integration Bot commented Jun 16, 2026

Copy link
Copy Markdown
Author

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment, CI, and merge conflict monitoring

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@mcheemaa mcheemaa

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mcheemaa