fix: address Qodo code review findings

- Add missing snapshot-differ.test.ts to npm test script - Fix path traversal vulnerability in agent-mail.ts with message ID validation - Fix readLastTouchedVersion to log errors instead of silently swallowing them - Sanitize log statements to not leak full paths - Add projectRoot validation to all API routes - Fix activity persistence write race conditions with promise chaining Co-authored-by: openhands <openhands@all-hands.dev>
2026-02-14 08:43:04 +00:00 · 2026-02-14 08:43:04 +00:00 · a3f2ceef52
commit a3f2ceef52
parent d1140c9809
8 changed files with 108 additions and 9 deletions
--- a/src/lib/agent-mail.ts
+++ b/src/lib/agent-mail.ts
@ -98,6 +98,12 @@ function trimOrEmpty(value: unknown): string {
  return typeof value === 'string' ? value.trim() : '';
 }

+function isValidMessageId(value: string): boolean {
+  // Message IDs must be alphanumeric with underscores, hyphens, and colons
+  // This prevents path traversal attacks
+  return /^[a-zA-Z0-9_\-:]+$/.test(value);
+}
+
 function success<T>(command: MailCommandName, data: T): MailCommandResponse<T> {
  return {
    ok: true,
@ -330,6 +336,10 @@ export async function readAgentMessage(
    return invalid(command, 'MESSAGE_NOT_FOUND', 'Message id is required.');
  }

+  if (!isValidMessageId(messageId)) {
+    return invalid(command, 'INVALID_MESSAGE_ID', 'Message id contains invalid characters.');
+  }
+
  try {
    const existing = await readMessageIndex(messageId);
    if (!existing) {
@ -374,6 +384,10 @@ export async function ackAgentMessage(
    return invalid(command, 'MESSAGE_NOT_FOUND', 'Message id is required.');
  }

+  if (!isValidMessageId(messageId)) {
+    return invalid(command, 'INVALID_MESSAGE_ID', 'Message id contains invalid characters.');
+  }
+
  try {
    const existing = await readMessageIndex(messageId);
    if (!existing) {