Skip to content

Security/codeql fixes#24

Merged
bnz183 merged 2 commits into
mainfrom
security/codeql-fixes
Jun 12, 2026
Merged

Security/codeql fixes#24
bnz183 merged 2 commits into
mainfrom
security/codeql-fixes

Conversation

@bnz183

@bnz183 bnz183 commented Jun 12, 2026

Copy link
Copy Markdown
Owner

No description provided.

bnz183 added 2 commits June 12, 2026 05:19
Replace scrypt for new password hashes while keeping legacy verification, tighten auth rate limits with env overrides, and use generic login failure messages.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3eda386306

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

}

function createLimiter(max: number, windowMs: number) {
const windowMs = parseEnvInt("SOURCEDRAFT_RATE_LIMIT_WINDOW_MS", DEFAULT_WINDOW_MS);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Defer rate-limit env reads until after dotenv loads

When these overrides are set in the app’s supported .env/.env.local files, they are ignored because rateLimit.ts is statically imported by server/index.ts before the loadDotenv loop runs, so this module-level parseEnvInt executes against the pre-dotenv environment. The docs now advertise SOURCEDRAFT_RATE_LIMIT_WINDOW_MS, SOURCEDRAFT_AUTH_RATE_LIMIT_MAX, and SOURCEDRAFT_WRITE_RATE_LIMIT_MAX, but they only work if exported by the parent process; compute these values after dotenv initialization or when creating the app/limiter.

Useful? React with 👍 / 👎.

@@ -0,0 +1 @@
Subproject commit e791f54723e8a630ae5316dbd6a14e0763924b51

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Remove the stray worktree gitlink

This path is committed as a submodule gitlink, but the commit does not add a matching .gitmodules entry; in this checkout git submodule status .claude/worktrees/project-guidance fails with no submodule mapping found. Any tooling or contributor workflow that initializes/checks submodules will now fail on an internal Claude worktree artifact, so this should be removed or converted to a real tracked file.

Useful? React with 👍 / 👎.

@bnz183 bnz183 merged commit 1dc7335 into main Jun 12, 2026
7 checks passed
@bnz183 bnz183 deleted the security/codeql-fixes branch June 12, 2026 15:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant