Skip to content

fix(security): address 4 CodeQL warnings#29

Merged
whykusanagi merged 1 commit into
mainfrom
fix/codeql-warnings
May 25, 2026
Merged

fix(security): address 4 CodeQL warnings#29
whykusanagi merged 1 commit into
mainfrom
fix/codeql-warnings

Conversation

@whykusanagi
Copy link
Copy Markdown
Owner

@whykusanagi whykusanagi commented May 25, 2026

Summary

Resolves four of the five CodeQL findings surfaced when default code scanning was enabled on the repo. The fifth was dismissed in the GitHub UI as a false positive (see Dismissed below).

Fixes

File Rule Change
src/lib/celeste-widget.js js/insecure-randomness generateSessionId() uses crypto.randomUUID() instead of Math.random(). Backward-compatible — sessionId is set in the constructor, only used for logging/routing.
examples/components/websocket-manager.html js/xss-through-dom log() builds child spans with textContent instead of innerHTML. Incoming WebSocket frames can no longer inject markup into the demo log.
examples/components/png-export.html js/functionality-from-untrusted-source Added SRI integrity=sha384-... + crossorigin="anonymous" on the pinned html2canvas script. Matches the SRI guidance we publish for consumers in docs/CDN_CONSUMPTION.md.
.github/workflows/checks.yml actions/missing-workflow-permissions Job-level permissions: contents: read. The workflow only needs to read repo contents — the default broad-write GITHUB_TOKEN is gratuitously permissive in a public package.

Dismissed (not fixed)

js/tainted-format-stringsrc/lib/countdown-widget.js:195 — dismissed as false_positive. The flagged line is console.error(\...${eventName}...`, error). JS template literals are not printf-style format strings — V8 doesn't reinterpret %sinside ``...${x}...` ``. This rule is a known false-positive on JS template-literal interpolation. Real impact is bounded to log injection via newline chars in the browser dev console, with no exploitation path.

Verification

  • ✅ 166/166 tests pass locally
  • node --check clean on changed JS
  • ✅ SRI hash computed against the actual cdnjs file: sha384-ZZ1pncU3bQe8y31yfZdMFdSpttDoPmOZg2wguVK9almUodir1PghgT0eY7Mrty8H

Test plan

  • Unit tests pass
  • CodeQL re-scan after merge shows 4 closed / 1 dismissed
  • PR's checks job runs with read-only token without breaking

🤖 Generated with Claude Code

@whykusanagi @claude
fix(security): address 4 CodeQL warnings
e816abc 
Resolves four of the five CodeQL findings surfaced when default
code scanning was enabled. The fifth (js/tainted-format-string in
countdown-widget.js) is dismissed as false-positive — V8 does not
reinterpret %s in JS template literals.

- src/lib/celeste-widget.js: generateSessionId() now uses
  crypto.randomUUID() instead of Math.random(). Fixes
  js/insecure-randomness. Backward-compatible: sessionId is set in
  the constructor and not parsed downstream, only logged/routed.

- examples/components/websocket-manager.html: log() now builds
  child spans with textContent instead of innerHTML, so incoming
  WebSocket frames can't inject markup into the demo log. Fixes
  js/xss-through-dom.

- examples/components/png-export.html: pinned html2canvas script
  now carries an SRI hash (sha384) and crossorigin="anonymous",
  matching the SRI guidance we publish for consumers in
  docs/CDN_CONSUMPTION.md. Fixes
  js/functionality-from-untrusted-source.

- .github/workflows/checks.yml: declare permissions: contents:read
  at the job level. The workflow only needs to read repo contents
  (checkout + npm install + build + test); the default
  GITHUB_TOKEN with broad write scope is gratuitously permissive
  in a public package. Fixes actions/missing-workflow-permissions.

166/166 tests still pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented May 25, 2026

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs		 corrupted-theme e816abc Commit Preview URL

Branch Preview URL		 May 25 2026, 10:27 PM

@whykusanagi whykusanagi merged commit 758f461 into main May 25, 2026
5 checks passed
@whykusanagi whykusanagi deleted the fix/codeql-warnings branch May 25, 2026 22:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@whykusanagi