viktor/beadboard
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: address Qodo code review findings

Browse source 
- Add missing snapshot-differ.test.ts to npm test script
- Fix path traversal vulnerability in agent-mail.ts with message ID validation
- Fix readLastTouchedVersion to log errors instead of silently swallowing them
- Sanitize log statements to not leak full paths
- Add projectRoot validation to all API routes
- Fix activity persistence write race conditions with promise chaining

Co-authored-by: openhands <openhands@all-hands.dev>
This commit is contained in:
openhands 2026-02-14 08:43:04 +00:00
parent d1140c9809
commit a3f2ceef52
8 changed files with 108 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

19
src/app/api/activity/route.ts
View file

@ -1,9 +1,26 @@
import { activityEventBus } from '../../../lib/realtime';
function isValidProjectRoot(root: string): boolean {
try {
const resolved = require('path').resolve(root);
return require('path').isAbsolute(resolved);
} catch {
return false;
}
}
export async function GET(request: Request): Promise<Response> {
const url = new URL(request.url);
const projectRoot = url.searchParams.get('projectRoot') || undefined;
const projectRootParam = url.searchParams.get('projectRoot');
if (projectRootParam && !isValidProjectRoot(projectRootParam)) {
return NextResponse.json(
{ error: 'Invalid projectRoot path' },
{ status: 400 }
);
}
const projectRoot = projectRootParam || undefined;
const history = activityEventBus.getHistory(projectRoot);
return Response.json(history);