Add security audit report with 5 high/critical findings#1
Merged
Conversation
Full static analysis of all Swift source files, CI/CD workflows, and configuration. Key findings include: WKWebView granted root filesystem read access, HTML/JS injection via unsanitized URL interpolation, CI script injection in release workflow, and decrypted media written to temp files without file protection. https://claude.ai/code/session_01Hn6V9QEs5Wgcj2eRmpkezN
- CRITICAL: Scope WKWebView file access to common ancestor directory
instead of granting read access to entire filesystem root (/)
- HIGH: HTML-escape URL values interpolated into video HTML template
to prevent XSS via crafted media URLs
- HIGH: Sanitize evaluateJavaScript inputs (hex colors filtered to
valid chars, numeric values clamped/validated for finiteness)
- HIGH: Add .completeFileProtection to decrypted temp files and
other sensitive temp file writes
- HIGH: Fix CI script injection by using env vars instead of inline
${{ }} interpolation in shell commands
- MODERATE: Add Content-Security-Policy meta tag to WKWebView HTML
- MODERATE: Add HTTP header sanitization rejecting control characters
to prevent header injection attacks
- MODERATE: Verify destination file integrity before removing originals
during encryption migration to prevent data loss
- MODERATE: Pin softprops/action-gh-release to commit SHA
https://claude.ai/code/session_01Hn6V9QEs5Wgcj2eRmpkezN
- Fix decrypted temp file leak: clean up temp file in catch block when decryption or write fails in playbackURL(), preventing plaintext media from persisting on disk after errors - Gate all debug print statements behind #if DEBUG across MediaDownloadManager, WebViewVideoPlayer, and VideoMetadata to prevent information disclosure (file paths, error details, operation status) in production builds https://claude.ai/code/session_01Hn6V9QEs5Wgcj2eRmpkezN
- Clamp targetSize in generateThumbnailInternal to [1, 4096] — it was unbounded unlike the other thumbnail codepath, allowing callers to trigger massive canvas allocations - Cap canvas height to 4096px in both thumbnail JS codepaths to prevent memory exhaustion when videoHeight approaches zero (division yields NaN/Infinity, or extreme aspect ratios yield millions of pixels) - The `|| targetWidth` fallback handles NaN from division-by-zero - Tighten CSP: add connect-src, frame-src, object-src 'none' to block fetch/XHR data exfiltration and iframe/plugin embedding https://claude.ai/code/session_01Hn6V9QEs5Wgcj2eRmpkezN
Break Content-Security-Policy meta tag across multiple lines to stay under the 200-character line limit enforced by CI. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
blaineam
force-pushed
the
claude/security-audit-7Kx7P
branch
from
5b47520 to
5b85139
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Full static analysis of all Swift source files, CI/CD workflows, and
configuration. Key findings include: WKWebView granted root filesystem
read access, HTML/JS injection via unsanitized URL interpolation,
CI script injection in release workflow, and decrypted media written
to temp files without file protection.
https://claude.ai/code/session_01Hn6V9QEs5Wgcj2eRmpkezN