Skip to content

Fix CodeQL security vulnerabilities and lint issues#77

Merged
rvguha merged 2 commits intomainfrom
fix/codeql-lint-issues
Feb 18, 2026
Merged

Fix CodeQL security vulnerabilities and lint issues#77
rvguha merged 2 commits intomainfrom
fix/codeql-lint-issues

Conversation

@rvguha
Copy link
Contributor

@rvguha rvguha commented Feb 18, 2026

Summary

  • Add security fixes for CodeQL vulnerabilities
  • Fix lint issues across the codebase
  • Add response cache and OpenRouter provider support
  • Update GitHub Actions permissions to minimum required
  • Add Responsible AI transparency documentation

Security Fixes

  • Restrict GitHub Actions workflow permissions to contents: read
  • Address Dependabot alerts:
    • azure-core updated to v1.38.1 ✓
    • cryptography updated to v46.0.5 ✓
    • pillow updated to v12.1.1 ✓
    • ajv vulnerability dismissed as false positive (requires $data option not used, upgrading breaks ESLint 8.x)

New Features

  • Response cache for improved performance (5 min TTL, configurable)
  • OpenRouter LLM provider support (alternative to Azure OpenAI)
  • Shopify and Wix MCP handlers for e-commerce platforms
  • Platform auto-detection via domain patterns and HTTP probes

Documentation

  • Add RAI_TRANSPARENCY.md with Responsible AI guidelines

Test Plan

  • Server starts successfully
  • Health endpoint responds
  • API connectivity confirmed
  • Updated dependencies working correctly

🤖 Generated with Claude Code

Co-Authored-By: Claude noreply@anthropic.com

rvguha and others added 2 commits February 12, 2026 14:31
@rvguha @claude
Fix CodeQL security vulnerabilities and lint issues
5166fda 
## Security Fixes

| Vulnerability | Severity | Location | Fix |
|--------------|----------|----------|-----|
| SSRF | Critical | crawler/master.py | Added `is_safe_url()` validation |
| XML Bomb | High | crawler/master.py | Replaced `xml.etree` with `defusedxml` |
| Path Injection | High | frontend/chat-app/bin/nlweb-chat.mjs | Use `resolve()` with proper boundary check |
| Double Escaping | High | ChatSearch.tsx | Move `&` decoding to last |
| Clear-text Logging | High | create_test_user.py | Mask API keys in output |
| Stack Trace Exposure | Medium | api.py, SSE interfaces | Return generic error messages |
| Workflow Permissions | Medium | check.yml | Add explicit `permissions: contents: read` |

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@rvguha @claude
Merge main into fix/codeql-lint-issues
f902fdd 
Resolve conflicts in SSE handlers while preserving both:
- Security fix: use logger.exception() instead of exposing stack traces
- Main branch improvement: handle mid-stream errors gracefully

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@rvguha rvguha merged commit ed55e4d into main Feb 18, 2026
19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rvguha