Security & Quality: Comprehensive code review fixes #458
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## Security Fixes (Critical)
### Command Injection Prevention (lib/xmllint.ts)
- Fix command injection vulnerability in xmlLint function
- Always pipe XML content via stdin instead of accepting file paths
- Prevents arbitrary command execution via malicious file path arguments
- Update tests to pass XML content as strings or streams
### Path Traversal Protection (lib/validation.ts)
- Enhance path traversal detection in validatePath() and validatePublicBasePath()
- Detect '..' in all positions (beginning, middle, end, standalone)
- Validate before and after path normalization
- Check individual path components to catch edge cases
- Handle both Unix (/) and Windows (\) style path separators
### XSL URL Security (lib/validation.ts)
- Implement case-insensitive validation for XSL URLs
- Block script tags in all case variations: <script, <ScRiPt, <SCRIPT>
- Add checks for dangerous protocols: data:, vbscript:, file:, about:
- Detect URL-encoded attacks: %3cscript, javascript%3a, etc.
- Comprehensive protection against XSS and protocol injection
## Quality Improvements
### Number Validation (lib/utils.ts)
- Validate parseFloat(video.rating) returns valid number, not NaN
- Validate parseInt(video.view_count) returns valid non-negative integer
- Throw descriptive errors instead of silently propagating NaN values
### Date Validation (lib/utils.ts)
- Validate Date objects for lastmod, lastmodISO, lastmodfile
- Check for Invalid Date objects using Number.isNaN(date.getTime())
- Throw descriptive errors for unparseable date strings
### Language Regex Fix (lib/types.ts)
- Fix language validator regex from /^zh-cn|zh-tw|([a-z]{2,3})$/ to /^(zh-cn|zh-tw|[a-z]{2,3})$/
- Proper grouping ensures correct ISO 639 language code validation
### Path Resolution (lib/xmllint.ts)
- Improve schema directory resolution using process.cwd()
- Works reliably in source, ESM build, CJS build, and test environments
- Graceful fallback when import.meta is unavailable (Jest)
### Type Documentation (lib/types.ts)
- Add JSDoc comments for PriceType and Resolution types
- Document Google Video Sitemap spec allows case variations
## Documentation
### Security Documentation
- Add comprehensive security section to api.md
- Document URL validation, path traversal protection, XSL security
- Add security notes to xmlLint documentation
- Update examples to show secure usage patterns
### JSDoc Comments
- Add security-focused JSDoc to all validation functions
- Explain what attacks each validation prevents
- Document security best practices
## Testing
### Updated Tests
- Update xmllint tests to pass content instead of file paths
- Add 7 new XSL URL security tests (case-insensitive, encoded attacks)
- All 291 tests passing with >90% coverage
## Breaking Changes
- Stricter path traversal detection may reject paths with '..'
- XSL URL validation blocks more patterns (case-insensitive)
- Number/date parsing throws errors on invalid input
- Language regex fix may reject invalid codes
- xmlLint() no longer accepts file paths, only string/stream content
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR addresses security vulnerabilities and code quality issues identified during a comprehensive code review of
lib/types.ts,lib/utils.ts,lib/validation.ts,lib/xmllint.ts, andlib/errors.ts.Security Fixes (Critical)
🔒 Command Injection Prevention
lib/xmllint.ts🔒 Enhanced Path Traversal Protection
lib/validation.ts..path traversal sequences..in all positions (beginning, middle, end, standalone)/) and Windows (\) separators🔒 XSL URL Security Hardening
lib/validation.ts<script,<ScRiPt,<SCRIPT>, etc.javascript:,data:,vbscript:,file:,about:%3cscript,javascript%3a, etc.Quality Improvements
✅ Number Validation
lib/utils.tsparseFloat()andparseInt()could produceNaNthat propagated to XML✅ Date Validation
lib/utils.tsInvalid DateobjectsNumber.isNaN(date.getTime())to detect invalid dates✅ Language Regex Fix
lib/types.ts/^zh-cn|zh-tw|([a-z]{2,3})$/had incorrect grouping/^(zh-cn|zh-tw|[a-z]{2,3})$/for proper validation✅ Path Resolution Robustness
lib/xmllint.tsprocess.cwd()based search with fallback paths📝 Type Documentation
lib/types.tsPriceTypeandResolutiontypesDocumentation
📖 Security Documentation
api.mdsimpleSitemapAndIndexxmlLintdocumentation about stdin piping📖 JSDoc Security Comments
Testing
✅ Test Updates
tests/xmllint.test.tsto pass XML content instead of file pathsBreaking Changes
..that were previously acceptedAll breaking changes are documented in the updated
api.md.Checklist
🤖 Generated with Claude Code