fix(audit): CDN worker path-traversal guard + animation-blocks security JSDoc#26
Merged
Conversation
…warnings From the pre-publish audit's two non-blocking notes: 1. cdn-worker/index.js — reject paths containing '..' segments or percent-encoded variants (%2e%2e in any case combination) before the R2 rewrite. Defense-in-depth: Cloudflare's URL parser already normalizes most '..' segments at the platform level, but the guard protects against edge cases where normalization behavior changes. Worker redeployed (Version ID: 349fceb2-4eb0-4fc2-b3d0-054ef3431bfd). 2. animation-blocks.js — add SECURITY @warning JSDoc to TerminalBoot and SystemDiagnostic options.lines. Both classes render lines directly into element.innerHTML, which is safe when lines come from the developer (the documented use case) but a footgun if a downstream consumer ever passes user-controlled input. JSDoc now states the contract explicitly + suggests HTML entity escaping for UGC paths.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two non-blocking findings from the pre-publish audit (PR #25 follow-up):
1. CDN worker path-traversal guard
cdn-worker/index.js— added a guard that rejects request paths containing..segments or percent-encoded variants (%2e%2ein any case mix) before constructing the rewritten R2 URL. Returns HTTP 400 with a "path traversal not permitted" body.Risk assessment: Cloudflare's URL parser already normalizes
..segments at the platform level before the request reaches the Worker — the bucket only holds public content anyway — so this is genuinely defense-in-depth, not a vulnerability fix. Worker has been redeployed (Version ID349fceb2-4eb0-4fc2-b3d0-054ef3431bfd).2. animation-blocks security JSDoc
src/lib/animation-blocks.js—TerminalBootandSystemDiagnosticclasses both passoptions.lines[i]directly intoelement.innerHTML. Documented as@param {string[]}(developer-supplied, trusted) but the contract wasn't explicit. Added⚠️ SECURITY:JSDoc notes calling out that lines render as raw HTML and callers must escape HTML entities if content comes from user input.No code behavior change — purely documentation.
Test plan
wrangler deploy --config cdn-worker/wrangler.toml)npm test— 166/166 pass (no behavior change in src/)@latestURLs still return 200, path-traversal probes return 404 (Cloudflare normalizes before reaching the guard — guard is defensive)🤖 Generated with Claude Code