Skip to content

security: fix sandbox bypass, env race, and unsafe SAFETY docs #1231

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
BunnyMoth wants to merge 14 commits into from
Closed

security: fix sandbox bypass, env race, and unsafe SAFETY docs #1231

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
b829ab0
security: fix sandbox bypass, env race, and unsafe SAFETY docs
BunnyMoth Jun 5, 2026
f8498f7
fix: rustfmt and missing api_keys in test AppState initializers
BunnyMoth Jun 6, 2026
0a4ec79
fix: uuid staging suffix and atomic rename in clawhub install
BunnyMoth Jun 6, 2026
1e5f3c0
perf: reuse reqwest::Client across WASM host calls via GuestState
BunnyMoth Jun 6, 2026
642e7ae
security: harden WhatsApp gateway — bearer auth, ACL, error redaction…
BunnyMoth Jun 6, 2026
5d92039
chore: add package-lock.json for whatsapp-gateway (pins deps, 0 vulne…
BunnyMoth Jun 6, 2026
2cc8041
fix: bump lettre 0.11.21 -> 0.11.22 (RUSTSEC-2026-0141 TLS hostname v…
BunnyMoth Jun 6, 2026
bf571a7
refactor: replace let _ = validate_path()? with validate_path()?
BunnyMoth Jun 6, 2026
57493b4
docs: add missing /// doc comments to openfang-types public items
BunnyMoth Jun 6, 2026
ab62603
ci: add --all-targets to clippy and npm audit job for whatsapp gateway
BunnyMoth Jun 7, 2026
80d6aac
security: Zeroizing<String> for api_keys HashMap values, update SECUR…
BunnyMoth Jun 7, 2026
02fe9f8
fix: WASM timeout respects max_cpu_time_ms, fix stale fuel_limit in A…
BunnyMoth Jun 8, 2026
8c54545
feat: implement WASM memory limiter via ResourceLimiter (Gap D)
BunnyMoth Jun 8, 2026
6a05e26
perf: cancel watchdog thread on early WASM exit via AtomicBool (Gap B)
BunnyMoth Jun 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 17 additions & 1 deletion .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ jobs:
libayatana-appindicator3-dev \
librsvg2-dev \
patchelf
- run: cargo clippy --workspace -- -D warnings
- run: cargo clippy --workspace --all-targets -- -D warnings

fmt:
name: Format
Expand All @@ -106,6 +106,22 @@ jobs:
run: cargo install cargo-audit --locked
- run: cargo audit

# ── WhatsApp gateway Node dependency audit ────────────────────────────────
gateway-audit:
name: Gateway npm audit
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/setup-node@v4
with:
node-version: 20
- name: Install dependencies (frozen lockfile)
working-directory: packages/whatsapp-gateway
run: npm ci
- name: Audit for high/critical vulnerabilities
working-directory: packages/whatsapp-gateway
run: npm audit --audit-level=high

# ── Secrets scanning (prevent accidental credential commits) ──────────────
secrets:
name: Secrets Scan
Expand Down
34 changes: 17 additions & 17 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@

| Version | Supported |
|---------|--------------------|
| 0.3.x | :white_check_mark: |
| 0.6.x | :white_check_mark: |

## Reporting a Vulnerability

Expand Down
Loading