Skip to content

security(git-id-switcher): tighten CSP img-src from wildcard to explicit subdomain#462

Merged
nullvariant merged 1 commit into
mainfrom
security/tighten-csp-img-src-wildcard
Apr 10, 2026
Merged

security(git-id-switcher): tighten CSP img-src from wildcard to explicit subdomain#462
nullvariant merged 1 commit into
mainfrom
security/tighten-csp-img-src-wildcard

Conversation

@nullvariant
Copy link
Copy Markdown
Owner

@nullvariant nullvariant commented Apr 10, 2026

Summary

  • Replace *.githubusercontent.com with avatars.githubusercontent.com in buildCspString img-src to prevent loading arbitrary files from attacker-controlled repositories
  • Add scoped absence tests that extract the img-src directive and verify wildcard / raw.githubusercontent.com are not present
  • Move coerceLang and STYLE_CLOSE_PATTERN from csp.ts to shell.ts to align module boundaries (shell-rendering vs CSP concerns)
  • Update ARCHITECTURE.md CSP section to reflect the current policy
  • Add shell.ts to ESLint regex-constant allowlist

Test plan

  • TypeScript compile passes (npx tsc --noEmit)
  • ESLint passes with zero warnings
  • All unit tests pass
  • Statement coverage remains at 100%
  • Absence tests verify *.githubusercontent.com and raw.githubusercontent.com are not in img-src
  • Presence test verifies avatars.githubusercontent.com is in img-src

@nullvariant @claude
security(git-id-switcher): tighten CSP img-src from wildcard to expli…
9de213b 
…cit subdomain

- Replace `*.githubusercontent.com` with `avatars.githubusercontent.com`
  in buildCspString img-src to prevent loading arbitrary files from
  attacker-controlled repositories via raw.githubusercontent.com
- Add scoped absence tests that extract the img-src directive and verify
  wildcard / raw.githubusercontent.com are not present
- Move `coerceLang` and `STYLE_CLOSE_PATTERN` from csp.ts to shell.ts
  to align module boundaries (shell-rendering vs CSP concerns)
- Update ARCHITECTURE.md CSP section to reflect current policy
- Add shell.ts to ESLint regex-constant allowlist

Signed-off-by: Null;Variant <null@nullvariant.com>

🖥️ IDE: [VS Code](https://code.visualstudio.com/)
🔌 Extension: [Claude Code](https://claude.ai/download)

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Model-Raw: claude-opus-4-6
@nullvariant-slow
Copy link
Copy Markdown
Contributor

nullvariant-slow Bot commented Apr 10, 2026

🦥 Slow's Code Review 😩

...yawn... Do I really have to review this?

⚠️ TOO LONG... I can barely keep my eyes open reading these:

File Lines

| extensions/git-id-switcher/src/test/htmlTemplates.test.ts | 1665 |
| extensions/git-id-switcher/src/ui/documentationInternal.ts | 505 |

Split it up... reading long files is exhausting.

働きたくないでござる

This review was reluctantly filed by nullvariant-slow[bot]

@nullvariant-mimi
Copy link
Copy Markdown
Contributor

nullvariant-mimi Bot commented Apr 10, 2026

🐰 Mimi's Validation Report ✅

All checks are looking good! Great job! 🎉

⏳ Some checks are still running. I will keep watching!

バリデーターを通してくださいね

This report was carefully prepared by nullvariant-mimi[bot]

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 10, 2026

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 9de213b.
Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Scanned Files

None

@nullvariant-ciel
Copy link
Copy Markdown
Contributor

nullvariant-ciel Bot commented Apr 10, 2026
edited
Loading

🕊️ Ciel's Mediation 🌤️

*~~ floating down from the clouds ~~ The zoo seems a bit noisy today...*

2 zoo members have reviewed this PR.

Zoo Member Status
🦥 Slow Commented
🐰 Mimi Commented

⚖️ The zoo has mixed opinions. Some are concerned, some are fine with it. Please review each comment carefully and make the final call.

まあまあ、ほどほどに。

This mediation was peacefully delivered by nullvariant-ciel[bot]

@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 10, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Apr 10, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

nullvariant-justice[bot]
nullvariant-justice Bot approved these changes Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@nullvariant-justice nullvariant-justice Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚖️ Justice grants passage. CI checks passed — this code meets the garden's standards.

@nullvariant nullvariant merged commit f834261 into main Apr 10, 2026
33 of 36 checks passed
@nullvariant nullvariant deleted the security/tighten-csp-img-src-wildcard branch April 10, 2026 07:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nullvariant-justice nullvariant-justice[bot] nullvariant-justice[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nullvariant