viktor/beadboard
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: address critical security and stability issues

Browse source 
- Fix path traversal vulnerabilities in API route validation functions
- Fix path traversal in readiness-report.mjs artifact validation
- Add file locking to prevent race conditions in agent-reservations.ts
- Fix event ordering in ActivityEventBus by capturing snapshot before modification
- Fix memory leaks in watcher.ts by explicitly removing chokidar listeners
- Add command injection sanitization in mutations.ts

Co-authored-by: openhands <openhands@all-hands.dev>
This commit is contained in:
openhands 2026-02-14 16:36:27 +00:00
parent 850335661d
commit e46062b4f5
9 changed files with 130 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

13
skills/beadboard-driver/scripts/readiness-report.mjs
View file

@ -1,6 +1,7 @@
#!/usr/bin/env node
import fs from 'node:fs/promises';
import path from 'node:path';
function parseArgs(argv) {
const output = {};
@ -43,8 +44,16 @@ async function withArtifactExistence(artifacts) {
};
if (typeof artifact.path === 'string' && artifact.path.trim()) {
try {
await fs.access(artifact.path);
item.exists = true;
// Validate path to prevent path traversal attacks
const resolved = path.resolve(artifact.path);
const normalized = path.normalize(resolved);
// Check that the path doesn't contain traversal patterns
if (normalized.includes('..') || path.sep !== '/' && normalized.includes('..\\')) {
item.exists = false;
} else {
await fs.access(resolved);
item.exists = true;
}
} catch {
item.exists = false;
}