fix(security): resolve infinite recursion risk in SecurityError.getSafeStack()#393
Conversation
🐰 Mimi's Validation Report ✅All checks are looking good! Great job! 🎉 ⏳ Some checks are still running. I will keep watching!
This report was carefully prepared by nullvariant-mimi[bot] |
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Snapshot WarningsEnsure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice. Scanned FilesNone |
🦥 Slow's Code Review 😩...yawn... Do I really have to review this?
| Split it up... reading long files is exhausting.
This review was reluctantly filed by nullvariant-slow[bot] |
🕊️ Ciel's Mediation 🌤️*~~ floating down from the clouds ~~ The zoo seems a bit noisy today...* 2 zoo members have reviewed this PR.
⚖️ The zoo has mixed opinions. Some are concerned, some are fine with it. Please review each comment carefully and make the final call.
This mediation was peacefully delivered by nullvariant-ciel[bot] |
…getSafeStack() - Store raw stack in private field before overriding stack getter to break the circular reference between Object.defineProperty getter and getSafeStack() that relied on V8-specific behavior - Delegate path sanitization to pathSanitizer.sanitizePath() (DRY) - Strip stack from originalError in createSystemError/wrapError to prevent unsanitized path leakage via getInternalDetails() - Return frozen shallow copy from getInternalDetails() to prevent external mutation of audit log data - Add recursion safety test, stack stripping tests, frozen copy test, and isFatalError unit tests 🖥️ IDE: [Cursor](https://cursor.sh) 🔌 Extension: [Claude Code](https://claude.ai/download) Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Model-Raw: claude-opus-4-6
nullvariant
force-pushed
the
fix/security-error-infinite-recursion
branch
from
e18a462 to
d69fd2f
Compare
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
|
1 participant
Summary
SecurityError.getSafeStack()by storing raw stack in a private field before overriding the stack getter viaObject.definePropertypathSanitizer.sanitizePath()instead of maintaining 12 independent regex patterns (DRY)originalErrorincreateSystemError/wrapErrorto prevent unsanitized path leakage viagetInternalDetails()getInternalDetails()to prevent external mutation of audit log dataisFatalErrorunit testsTest plan
error.stackaccess does not throwRangeErrororiginalError.stackis not carried overgetInternalDetails()returns immutable objectisFatalErrortests cover allErrorCategoryvariants and non-Error values🤖 Generated with Claude Code