fix: address Qodo code review findings

- Add missing snapshot-differ.test.ts to npm test script - Fix path traversal vulnerability in agent-mail.ts with message ID validation - Fix readLastTouchedVersion to log errors instead of silently swallowing them - Sanitize log statements to not leak full paths - Add projectRoot validation to all API routes - Fix activity persistence write race conditions with promise chaining Co-authored-by: openhands <openhands@all-hands.dev>
2026-02-14 08:43:04 +00:00 · 2026-02-14 08:43:04 +00:00 · a3f2ceef52
commit a3f2ceef52
parent d1140c9809
8 changed files with 108 additions and 9 deletions
--- a/src/app/api/agents/[agentId]/stats/route.ts
+++ b/src/app/api/agents/[agentId]/stats/route.ts
@ -1,15 +1,30 @@
 import { NextResponse } from 'next/server';
+import path from 'node:path';
 import { readIssuesFromDisk } from '../../../../../lib/read-issues';
 import { activityEventBus } from '../../../../../lib/realtime';
 import { getAgentMetrics } from '../../../../../lib/agent-sessions';

+function isValidProjectRoot(root: string): boolean {
+  try {
+    const resolved = path.resolve(root);
+    return path.isAbsolute(resolved);
+  } catch {
+    return false;
+  }
+}
+
 export async function GET(
  request: Request,
  { params }: { params: Promise<{ agentId: string }> }
 ): Promise<Response> {
  const { agentId } = await params;
  const url = new URL(request.url);
-  const projectRoot = url.searchParams.get('projectRoot') ?? process.cwd();
+  const projectRootParam = url.searchParams.get('projectRoot');
+  const projectRoot = projectRootParam ?? process.cwd();
+
+  if (projectRootParam && !isValidProjectRoot(projectRootParam)) {
+    return NextResponse.json({ ok: false, error: 'Invalid projectRoot path' }, { status: 400 });
+  }

  try {
    const issues = await readIssuesFromDisk({ projectRoot, preferBd: true });