Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions .jules/sentinel.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
## 2026-06-30 - Prevent DOM-based XSS in Viewer JS
**Vulnerability:** Untrusted paths from API responses were directly assigned to `a.href` and used in `iframe` generation, which allows execution of malicious URIs like `javascript:` or `data:`.
**Learning:** Even when avoiding `innerHTML`, directly setting URL-like strings to DOM attributes without protocol validation introduces XSS vectors. The payload can be executed when the link is clicked or the iframe is loaded.
**Prevention:** Implement an `isSafeUrl` verification function to ensure the protocol is strictly `http:` or `https:` (using `new URL()`) before assigning untrusted inputs to DOM attributes like `href` or `src`.
## 2026-07-01 - [Null Byte Injection Prevention]

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH OpenCode could not establish approval sufficiency

  • Problem: the model pool exhausted without a valid current-head review control block, so this changed line cannot be approved from deterministic check state alone.
  • Impact: PR-intent mismatches, missing files, robustness bugs, UX/DX regressions, and CodeGraph-backed flow changes could be missed.
  • Fix: rerun OpenCode after model availability recovers, or add the missing source/test/docs/generated verification evidence needed for a source-backed approval.
  • Verification: rerun the OpenCode Review workflow and confirm it emits APPROVE or source-backed REQUEST_CHANGES for this head SHA.

**Vulnerability:** Filename inputs missing sanitization for null bytes could be truncated, bypassing extension validation rules.
**Learning:** Checking the `file.getOriginalFilename()` for null bytes (`\u0000`) before proceeding ensures that files with hidden payloads or manipulated extensions are rejected explicitly.
**Prevention:** Always validate and reject file names that contain null bytes (`\u0000`) at the very beginning of processing, throwing an `IllegalArgumentException` rather than ignoring them.
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,9 @@ public void validateOrThrow(MultipartFile file, PolicyOverrideRequest overrideRe
}

String fileName = file.getOriginalFilename();
if (fileName != null && fileName.indexOf('\u0000') != -1) {
throw new IllegalArgumentException("File name contains invalid characters.");
}
String extension = extensionOf(fileName);
if (extension.isEmpty()) {
throw new IllegalArgumentException("File extension is required.");
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -191,6 +191,22 @@ void rejectsMissingExtension() {
assertEquals("File extension is required.", ex.getMessage());
}

@Test
void rejectsFilenameWithNullByte() {
ConversionProperties conversionProperties = new ConversionProperties();
conversionProperties.setBlockedExtensions(Set.of("hwp", "hwpx"));
DefaultDocumentValidationService validationService = new DefaultDocumentValidationService(conversionProperties);

IllegalArgumentException ex = assertThrows(
IllegalArgumentException.class,
() -> validationService.validateOrThrow(
new MockMultipartFile("file", "contract\u0000.pdf", "application/pdf", new byte[] {1})
)
);

assertEquals("File name contains invalid characters.", ex.getMessage());
}

@Test
void rejectsBlankFilenameOrMissingName() {
ConversionProperties conversionProperties = new ConversionProperties();
Expand Down