Skip to content

πŸ›‘οΈ Sentinel: [CRITICAL] Fix Reflected XSS vulnerability #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
LebToki merged 1 commit into from
Mar 22, 2026
Merged

πŸ›‘οΈ Sentinel: [CRITICAL] Fix Reflected XSS vulnerability #24

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,3 +18,11 @@
**Vulnerability:** In `validatePath` and `isValidProjectPath` across multiple API files (`files.php`, `terminal.php`, `projects.php`, `src/Utils/Security.php`), the code used `strpos($realPath, $allowedReal) === 0` to check if a user-supplied path was within an allowed directory.
**Learning:** This is a classic path traversal bypass in PHP. Because it only checks for a string prefix, an allowed path like `/var/www` will successfully match a malicious sibling directory like `/var/www_backup` or `/var/www-secret`.
**Prevention:** Always append a trailing directory separator (`/`) to the allowed path prefix before checking with `strpos`, or perform an exact match if the paths are identical. For example: `strpos($realPath, rtrim($allowedReal, '/') . '/') === 0`.

## 2024-05-26 - [CRITICAL] Reflected XSS in index.php via `addslashes`

**Vulnerability:** In `public/index.php`, the `$projectPath` variable (sourced from user input) was passed to the frontend JavaScript using `addslashes()`. This function only escapes single/double quotes, backslashes, and NUL characters. It failed to escape or encode HTML tags like `<` and `>`, allowing an attacker to break out of the script tag context using `</script>` and execute arbitrary JavaScript.

**Learning:** `addslashes()` is insufficient for securely embedding PHP variables inside JavaScript strings within an HTML document. Even if quotes are escaped, the browser's HTML parser runs before the JavaScript engine, so a literal `</script>` string inside a JS string literal will terminate the script block prematurely.

**Prevention:** Always use `json_encode($variable)` when embedding PHP data into JavaScript. This safely handles quotes, special characters, and HTML tags (with proper flags or encoding), ensuring the data remains safely within the JS context.
2 changes: 1 addition & 1 deletion public/index.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -261,7 +261,7 @@ class="chat-input"
<script src="https://cdn.jsdelivr.net/npm/monaco-editor@0.45.0/min/vs/loader.js"></script>
<script>
// Current project state
let currentProject = localStorage.getItem('codepilot_project') || '<?php echo addslashes($projectPath); ?>';
let currentProject = localStorage.getItem('codepilot_project') || <?php echo json_encode($projectPath, JSON_HEX_TAG | JSON_HEX_APOS | JSON_HEX_QUOT | JSON_HEX_AMP); ?>;
let currentFile = null;
let openFiles = {}; // Store open file models

Expand Down