Skip to content

fix: security hardening and code quality improvements#29

Open
benzntech wants to merge 8 commits intoPickle-Pixel:mainfrom
benzntech:fix/security-quality-improvements
Open

fix: security hardening and code quality improvements#29
benzntech wants to merge 8 commits intoPickle-Pixel:mainfrom
benzntech:fix/security-quality-improvements

Conversation

@benzntech
Copy link

@benzntech benzntech commented Mar 7, 2026

Summary

This PR addresses 20+ findings from a comprehensive code review across 16 files.

🔴 Critical Fixes

  • SQL parameterization (C1, C2, M5, M9): Replace all f-string SQL with ? placeholders in detail.py, launcher.py, scorer.py
  • Credential security (C3, C4): Password moved from LLM prompt text to $APPLYPILOT_SITE_PASSWORD env var; CapSolver API calls moved from browser_evaluate (page context) to Bash curl to prevent key exfiltration
  • XSS fix (H8): escape(location.lower()) added to dashboard HTML attributes
  • CLI security warning (C5): Notice shown when launching auto-apply with bypassPermissions

🟠 High Priority Fixes

  • Thread-safe LLM singleton (H1, H2): threading.Lock with double-check locking; atexit.register closes httpx.Client
  • Browser resource leak (H5): browser.close() protected by try/except around page.goto() in smartextract
  • PDF batching (M6): batch_convert() reuses single Chromium instance instead of launching one per file
  • File existence checks (H7): Resume path verified before read in scorer, tailor, cover_letter — clear error message
  • Cover letter uses tailored resume (M10): Falls back to base resume only when tailored not available
  • DB crash safety (H6): Periodic commits every 50 jobs in store_jobs
  • Deadlock retry (H3): acquire_job retries on sqlite3.OperationalError with backoff
  • Streaming error tracking (H9): Stage correctly reports error status when all passes failed

🟡 Medium/Low Fixes

  • Type annotation (M1): dict[str, Callable] with proper collections.abc import in pipeline.py
  • YAML None guard (M3): yaml.safe_load(...) or {} on all code paths in config.py
  • Dashboard LIMIT (M11): LIMIT 500 to prevent OOM on large databases
  • DB cleanup (M8): Added close_all_connections() helper for thread cleanup
  • Nan cleanup (L10): Replaced repeated != "nan" string comparisons with _clean() helper in jobspy.py
  • Salary parsing (L9): Strips $, ,, whitespace before splitting ranges in wizard
  • Site colors (L8): Hash-based color fallback for unknown sites in dashboard

All 27 Python files compile cleanly after changes.

Benson K B and others added 8 commits March 7, 2026 10:09
@sisyphus-dev-ai
fix: parameterize SQL queries to prevent injection
2119d47 
Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
@sisyphus-dev-ai
fix: move credentials out of LLM prompts and browser JS
74669f4 
Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
@sisyphus-dev-ai
fix: add XSS escaping and security warning in CLI
3330fdd 
Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
@sisyphus-dev-ai
fix: add thread-safe LLM singleton and atexit cleanup
a34c2ce 
Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
@sisyphus-dev-ai
fix: prevent browser resource leaks and batch PDF conversion
edb64a4 
Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
@sisyphus-dev-ai
fix: add file existence checks and cover letter uses tailored resume
a73692c 
Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
@sisyphus-dev-ai
fix: add database safety, deadlock retry, and streaming error tracking
4a66cab 
Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
@sisyphus-dev-ai
fix: add type annotations, YAML safety, salary parsing, and site colors
558cf20 
Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
@bincat233 bincat233 mentioned this pull request Mar 12, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@benzntech