Skip to content

fix: prevent server-controlled alert injection and username path traversal in popup#74

Draft
Copilot wants to merge 3 commits intomainfrom
copilot/fix-server-error-message-injection
Draft

fix: prevent server-controlled alert injection and username path traversal in popup#74
Copilot wants to merge 3 commits intomainfrom
copilot/fix-server-error-message-injection

Conversation

Copy link
Copy Markdown

Copilot AI commented Apr 5, 2026
edited
Loading

Two high-severity findings where server-controlled data was used in the UI without sanitization: raw API error strings rendered via alert() (social engineering vector) and an unvalidated username interpolated directly into a chrome.tabs.create URL (path traversal risk).

Changes

  • Alert injection (handleCapture, handleUpload): Replace response.error concatenation in alert() with static generic messages. Server error is still logged to the console for debugging.
// Before
alert('Failed to capture screenshot: ' + response.error);

// After
console.error('Capture failed:', response.error);
alert('Failed to capture screenshot. Please try again.');
  • Username URL injection (openDashboard): Validate username against ^[a-zA-Z0-9_.-]+$ before navigation; encode with encodeURIComponent(). Invalid usernames are blocked with a console.warn.
// Before
chrome.tabs.create({ url: `https://dashboard.captureapp.xyz/showcase/${username}` });

// After
if (!/^[a-zA-Z0-9_.-]+$/.test(username)) {
  console.warn('openDashboard: username contains invalid characters, navigation blocked.');
  return;
}
chrome.tabs.create({ url: `https://dashboard.captureapp.xyz/showcase/${encodeURIComponent(username)}` });

Copilot AI linked an issue Apr 5, 2026 that may be closed by this pull request
[Security][High] Server error message injection via alert() and unsanitized username in URL construction #70
Open
Copilot AI and others added 2 commits April 5, 2026 11:07
@numbers-official
fix: prevent server error message injection and sanitize username in URL
007d770 
- Replace raw response.error in alert() calls with safe generic messages
  to prevent MITM/compromised server social engineering attacks
- Validate username against ^[a-zA-Z0-9_.-]+$ and use encodeURIComponent()
  in openDashboard() to prevent path traversal via unsanitized username

Agent-Logs-Url: https://github.com/numbersprotocol/proofsnap-extension/sessions/e6d515c8-e9ff-433f-8fed-166b3d09d87f

Co-authored-by: numbers-official <181934381+numbers-official@users.noreply.github.com>
@numbers-official
fix: add console warning when username fails validation in openDashboard
d6cb3ad 
Agent-Logs-Url: https://github.com/numbersprotocol/proofsnap-extension/sessions/e6d515c8-e9ff-433f-8fed-166b3d09d87f

Co-authored-by: numbers-official <181934381+numbers-official@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix server error message injection via alert and username sanitization fix: prevent server-controlled alert injection and username path traversal in popup Apr 5, 2026
Copilot AI requested a review from numbers-official April 5, 2026 11:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@numbers-official numbers-official Awaiting requested review from numbers-official

Assignees

@numbers-official numbers-official

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Security][High] Server error message injection via alert() and unsanitized username in URL construction

2 participants

@numbers-official