From e816abcf68050a8d61d4fdef477a2aa254d6818e Mon Sep 17 00:00:00 2001
From: whyKusanagi <169282093+whykusanagi@users.noreply.github.com>
Date: Mon, 25 May 2026 15:26:13 -0700
Subject: [PATCH] fix(security): address 4 CodeQL warnings
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Resolves four of the five CodeQL findings surfaced when default
code scanning was enabled. The fifth (js/tainted-format-string in
countdown-widget.js) is dismissed as false-positive — V8 does not
reinterpret %s in JS template literals.

- src/lib/celeste-widget.js: generateSessionId() now uses
  crypto.randomUUID() instead of Math.random(). Fixes
  js/insecure-randomness. Backward-compatible: sessionId is set in
  the constructor and not parsed downstream, only logged/routed.

- examples/components/websocket-manager.html: log() now builds
  child spans with textContent instead of innerHTML, so incoming
  WebSocket frames can't inject markup into the demo log. Fixes
  js/xss-through-dom.

- examples/components/png-export.html: pinned html2canvas script
  now carries an SRI hash (sha384) and crossorigin="anonymous",
  matching the SRI guidance we publish for consumers in
  docs/CDN_CONSUMPTION.md. Fixes
  js/functionality-from-untrusted-source.

- .github/workflows/checks.yml: declare permissions: contents:read
  at the job level. The workflow only needs to read repo contents
  (checkout + npm install + build + test); the default
  GITHUB_TOKEN with broad write scope is gratuitously permissive
  in a public package. Fixes actions/missing-workflow-permissions.

166/166 tests still pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/checks.yml               |  4 ++++
 examples/components/png-export.html        |  5 ++++-
 examples/components/websocket-manager.html | 10 +++++++++-
 src/lib/celeste-widget.js                  |  8 ++++++--
 4 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
index 9c7dbfd..d67bf15 100644
--- a/.github/workflows/checks.yml
+++ b/.github/workflows/checks.yml
@@ -11,6 +11,10 @@ jobs:
   checks:
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    # Minimum scope needed: checkout reads repo contents, no other API calls.
+    # Closes CodeQL actions/missing-workflow-permissions warning.
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
 
diff --git a/examples/components/png-export.html b/examples/components/png-export.html
index a98b2ad..6b4d7bf 100644
--- a/examples/components/png-export.html
+++ b/examples/components/png-export.html
@@ -239,9 +239,12 @@ <h3><i class="fas fa-code"></i> Usage</h3>
 
   <!--
     Load html2canvas from CDN so the demo works without a local npm install.
+    SRI hash pinned so a compromised CDN can't substitute a tampered build.
     In a real project: npm install html2canvas  (then it loads via dynamic import)
   -->
-  <script src="https://cdnjs.cloudflare.com/ajax/libs/html2canvas/1.4.1/html2canvas.min.js"></script>
+  <script src="https://cdnjs.cloudflare.com/ajax/libs/html2canvas/1.4.1/html2canvas.min.js"
+          integrity="sha384-ZZ1pncU3bQe8y31yfZdMFdSpttDoPmOZg2wguVK9almUodir1PghgT0eY7Mrty8H"
+          crossorigin="anonymous"></script>
   <script type="module">
     import { exportElementAsPng } from '../../src/lib/png-export.js';
 
diff --git a/examples/components/websocket-manager.html b/examples/components/websocket-manager.html
index bfa5b65..af3d4ad 100644
--- a/examples/components/websocket-manager.html
+++ b/examples/components/websocket-manager.html
@@ -297,7 +297,15 @@ <h3><i class="fas fa-code"></i> Usage</h3>
       const now = new Date().toLocaleTimeString('en-US', { hour12: false });
       const entry = document.createElement('div');
       entry.className = 'log-entry';
-      entry.innerHTML = `<span class="log-ts">[${now}]</span><span class="log-${type}">${text}</span>`;
+      // Build child spans with textContent so incoming WS messages
+      // can't inject markup into the page log.
+      const tsSpan = document.createElement('span');
+      tsSpan.className = 'log-ts';
+      tsSpan.textContent = `[${now}]`;
+      const msgSpan = document.createElement('span');
+      msgSpan.className = `log-${type}`;
+      msgSpan.textContent = text;
+      entry.append(tsSpan, msgSpan);
       logEl.appendChild(entry);
       logEl.scrollTop = logEl.scrollHeight;
     }
diff --git a/src/lib/celeste-widget.js b/src/lib/celeste-widget.js
index 451ee69..8bd0be3 100644
--- a/src/lib/celeste-widget.js
+++ b/src/lib/celeste-widget.js
@@ -1163,10 +1163,14 @@ class CelesteAgent {
     }
 
     /**
-     * Generate a unique session ID
+     * Generate a unique session ID using cryptographic randomness so the
+     * value can't be predicted or collided by another tab/visitor.
      */
     generateSessionId() {
-        return 'celeste_' + Date.now() + '_' + Math.random().toString(36).substr(2, 9);
+        const uuid = (typeof crypto !== 'undefined' && crypto.randomUUID)
+            ? crypto.randomUUID()
+            : 'fallback_' + Date.now();
+        return 'celeste_' + uuid;
     }
 
     /**