Skip to content

Security fixes from code review (F1-F4)#2

Merged
ChickenRunVN merged 2 commits into
masterfrom
integrate/pr-merge
Jun 2, 2026
Merged

Security fixes from code review (F1-F4)#2
ChickenRunVN merged 2 commits into
masterfrom
integrate/pr-merge

Conversation

@ChickenRunVN
Copy link
Copy Markdown
Owner

@ChickenRunVN ChickenRunVN commented Jun 2, 2026

Security fixes applied after code review:

  • F1 (CRITICAL mitigation): JSON.parse guard before new Function — JSON chart configs skip the RCE path entirely; JS function configs still work but log a warning
  • F2 (HIGH): HTML-escape msg in failSvg SVG body
  • F3 (HIGH): Add return after db.get error + fix ReferenceError outputFormat→fmt in /chart/render/:key
  • F4 (MEDIUM): Explicit 100kb limit on express.urlencoded
  • Base image: node:18-alpine3.17 → node:22-alpine (drops 12C/123H CVEs)

@ChickenRunVN
build: bump base node:18-alpine3.17 -> node:22-alpine (fixes 12C/123H…
4e167b0 
… CVEs from EOL base)
@ChickenRunVN
security: fix CRITICAL/HIGH/MEDIUM findings from code review
3a93a84 
- JSON-parse guard before new Function: JSON configs bypass RCE path (F1 mitigation)
- HTML-escape msg in failSvg SVG body (F2, XSS in error output)
- Add return after db.get err + fix ReferenceError outputFormat->fmt (F3, crash+hang)
- Explicit limit on express.urlencoded (F4, DoS hardening)
Copilot AI review requested due to automatic review settings June 2, 2026 04:11
@ChickenRunVN ChickenRunVN merged commit c5b81bd into master Jun 2, 2026
1 of 2 checks passed
Copilot AI reviewed Jun 2, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR applies several post–code review security hardening changes across request parsing, error rendering, template rendering, and the container base image.

Changes:

  • Add a strict JSON.parse fast-path in renderChartJs to avoid the new Function execution path for JSON chart configs.
  • Escape error text in failSvg, fix error-path fallthrough + ReferenceError in /chart/render/:key, and set an explicit body size limit for express.urlencoded.
  • Update Docker base image from Node 18 Alpine to Node 22 Alpine to reduce known CVEs.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File Description
lib/charts.js Adds a JSON-parse guard to bypass new Function when input is strict JSON.
index.js Adds urlencoded body size limit, HTML-escapes SVG error content, and fixes /chart/render/:key error handling + format variable usage.
Dockerfile Updates runtime base image to Node 22 Alpine.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread lib/charts.js
Comment on lines +141 to +145
} catch (_) {
// Not valid JSON — fall through to the new Function path below.
// Log so operators can see if unexpected JS function configs arrive.
logger.warn('chart input is not valid JSON; running via new Function (JS function config)');
}
Comment thread index.js
Comment on lines 547 to 548
let chartConfig = JSON.parse(row.config);
chartConfig = applyTemplateOverrides(chartConfig, req.query);
Comment thread Dockerfile
@@ -1,4 +1,4 @@
FROM node:18-alpine3.17
FROM node:22-alpine
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ChickenRunVN