chore: minor hardening pass (XSS, concurrency, public-only comment)#2
Merged
Conversation
- scripts/collect.sh: clarify that `?type=public` is the sole gate preventing private-repo traffic from being fetched or stored. - .github/workflows/collect.yml: add a `collect-traffic` concurrency group so cron and manual dispatches queue instead of racing on data/traffic.json. - docs/index.html: replace `innerHTML` with DOM APIs in renderTotals and the error fallback to remove a low-risk XSS surface. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The error fallback declared `const main = document.querySelector("main")`,
shadowing the outer async `main` function. Behaviour is unchanged but
future readers should not have to untangle the shadowing.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced Apr 22, 2026
3 tasks
shigechika
added a commit
that referenced
this pull request
Apr 26, 2026
* docs(security): add SECURITY.md and SRI hashes for CDN scripts Following the formal security review pass requested in #8. Findings: - Token handling, public-only invariant, workflow permissions, shell injection, repoSlug() coercion, and dashboard XSS surface all check out (most were already addressed by PRs #2, #11, #12). - One finding remained: docs/index.html loaded chart.js and chartjs-adapter-date-fns from cdn.jsdelivr.net without integrity attributes, so a CDN/NPM compromise could swap the file at the same URL. Added SHA-384 SRI hashes plus crossorigin="anonymous" to both <script> tags. SECURITY.md captures the trust model (who can read/write what), private-vulnerability-reporting URL, the public-only invariant and where it's enforced, workflow trust boundaries, the frontend supply chain story, the Protect main ruleset, and a checklist for fork users covering PAT scope / Pages visibility / private-repo safety / secret naming / branch protection portability / rename detection. Closes #8 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(security): correct SRI hashes for CDN scripts The integrity values in the previous commit were computed from a transient bad curl response — both differed from the bytes jsdelivr actually serves. Verified by hashing each file three times in a row (stable) and grep-checking docs/index.html. Without this fix the browser would have rejected both <script> tags on SRI mismatch, leaving the dashboard blank. Correct hashes: - chart.js@4.4.1 sha384-9nhczxUqK87bcKHh20fSQcTGD4qq5GhayNYSYWqwBkINBhOfQLg/P5HG5lF1urn4 - chartjs-adapter-date-fns@3.0.0 sha384-cVMg8E3QFwTvGCDuK+ET4PD341jF3W8nO1auiXfuZNQkzbUUiBGLsIQUE+b1mxws Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three small, independent hardening tweaks bundled into one PR:
scripts/collect.sh— Strengthen the comment around the?type=publicfilter. It is the only gate that stops this tool from fetching private-repo traffic, even when the PAT happens to grant broader access. Future contributors should know not to weaken it casually..github/workflows/collect.yml— Add acollect-trafficconcurrency group. Cron and manualworkflow_dispatchruns now queue rather than race ondata/traffic.json.cancel-in-progress: falsebecause each tick still carries fresh traffic data worth preserving.docs/index.html— ReplaceinnerHTMLwith DOM APIs inrenderTotalsand the error fallback. The data is owner-controlled (your own repo'straffic.json), so the practical risk is tiny, buttextContent/createElementis the right idiom and removes the XSS surface entirely.Test plan
Collect Traffic Dataworkflow passes on this branch (the workflow change applies on the default branch only, but YAML syntax can be checked here)docs/index.htmlagainst a fork URL — totals table still renders, dark/light mode unaffectedgh workflow run collect.ymland confirm a second concurrent dispatch queues instead of running in parallel🤖 Generated with Claude Code