sandvich
/
opencode
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge a1ac2d719c into ae614d919f

pull/17367/merge
Keven Sun 2026-04-08 05:21:18 +00:00 committed by GitHub
parent ae614d919f a1ac2d719c
commit d7f13a2865
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 44 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
packages/opencode/src/plugin/codex.ts
View File

@ -10,6 +10,10 @@ import { createServer } from "http"
const log = Log.create({ service: "plugin.codex" })
function escapeHtml(str: string): string {
return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;")
}
const CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann"
const ISSUER = "https://auth.openai.com"
const CODEX_API_ENDPOINT = "https://chatgpt.com/backend-api/codex/responses"
@ -230,7 +234,7 @@ const HTML_ERROR = (error: string) => `<!doctype html>
<div class="container">
<h1>Authorization Failed</h1>
<p>An error occurred during authorization.</p>
<div class="error">${error}</div>
<div class="error">${escapeHtml(error)}</div>
</div>
</body>
</html>`

39
packages/opencode/test/plugin/codex-xss.test.ts 100644
View File

@ -0,0 +1,39 @@
import { describe, expect, test } from "bun:test"
/**
* CWE-79: XSS in codex.ts HTML_ERROR
* File: packages/opencode/src/plugin/codex.ts
*
* HTML_ERROR interpolated error string directly into HTML.
* Fix: escapeHtml() sanitizes the error before interpolation.
*/
function escapeHtml(str: string): string {
return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;")
}
const HTML_ERROR = (error: string) => `<div class="error">${escapeHtml(error)}</div>`
describe("CWE-79: XSS in codex.ts HTML_ERROR", () => {
test("should escape script tags", () => {
const result = HTML_ERROR('<script>alert(1)</script>')
expect(result).not.toContain("<script>")
expect(result).toContain("&lt;script&gt;")
})
test("should escape img onerror payload", () => {
const result = HTML_ERROR('<img src=x onerror=alert(1)>')
expect(result).not.toContain("<img")
})
test("should escape quotes", () => {
const result = HTML_ERROR('" onmouseover="alert(1)')
expect(result).toContain("&quot;")
expect(result).not.toContain(' onmouseover="alert')
})
test("should render normal error messages", () => {
const result = HTML_ERROR("invalid_grant")
expect(result).toContain("invalid_grant")
})
})