Skip to content

Fix 25 confirmed bugs from code audit#445

Open
simon-lowes wants to merge 3 commits into
mainfrom
fix/audit-bugs
Open

Fix 25 confirmed bugs from code audit#445
simon-lowes wants to merge 3 commits into
mainfrom
fix/audit-bugs

Conversation

@simon-lowes

@simon-lowes simon-lowes commented Jun 2, 2026

Copy link
Copy Markdown
Owner

Automated audit fixes (25 findings)

Fixes for confirmed bugs found in an automated code audit. Every change was verified and independently reviewed (verdict: pass).

Fixed

  • Lagged correlation misaligns time series by one day in negative-UTC-offset timezones — Parse the YYYY-MM-DD series key with new Date(y, m-1, d) instead of new Date(date1) (which parses as UTC midnight), keeping the lag arithmetic in local time.
  • CSV export does not escape commas/newlines or guard against formula injection — Exported the hardened escapeCSV from csv-export.ts and routed exportToCSV's every field (intensity, locations, triggers, hashtags, notes) through it; escapeCSV already quotes/escapes commas/quotes/newlines and prefixes =,+,-,@,tab,CR cells.
  • UPDATE RLS policies lack WITH CHECK (user_id reassignment) — New idempotent migration recreates the tracker_entries and profiles UPDATE policies with WITH CHECK ((select auth.uid()) = user_id/id). Historical migrations left untouched (append-only); used the (select auth.uid()) form to stay consistent with the earlier initplan optimization.
  • Transient network error during background validation forcibly signs out a valid user — Added isDefinitiveAuthError(): only sign out + clear state on 401/403; on transient error or thrown transport failure, return the cached user and keep the refresh token for a later retry.
  • 'Remember me' / browser-close sign-out enforcement is a dead no-op — When a session exists but neither baseline-remember-session (localStorage) nor baseline-active-session (sessionStorage) flag is present, actually call auth.signOut() and setUser(null). Preserved the existing 5s getSession timeout race.
  • Editing an existing entry silently restores another entry's stale draft — Added an 'enabled' option to useFormDraft that gates the autosave interval + visibilitychange + pagehide saveDraft handlers; PainEntryForm passes enabled:!isEditing so editing never writes to the new-entry draft key.
  • Multi-tracker CSV export drops all custom (schema v2) field data — Replaced the hard-coded v1-only multi-tracker branch with per-tracker sections: each tracker emits generateSchemaV2CSV when it has custom fields, else generateSchemaV1CSV, prefixed with an escaped 'Tracker: ' header.
  • Distributed rate limiter fails open silently — All three failure paths (non-OK RPC, empty data, thrown error) now fail CLOSED (allowed:false, remaining:0) via onBackendFailure(); added an opt-in failOpen config flag (default false). Callers already return 429 when !allowed, so an outage now yields a graceful denial instead of unlimited paid AI calls.
  • isLikelyGenericConfig rejects valid configs with <=3 locations — Removed the bare length<=3 clause; now only flags as generic when labels exist AND all match the generic vocabulary (locLabels.length>0 && every(...)).
  • Schema v2 CSV header row is not escaped — Header now maps field labels through escapeCSV: ['Date','Time', ...fields.map(f => escapeCSV(f.label))].
  • Chart/tooltip date formatters reintroduce UTC day-boundary off-by-one — Added exported parseLocalDateString(YYYY-MM-DD)->local Date; formatChartDate and formatTooltipDate now use it instead of new Date(dateStr).
  • Injection-pattern neutralisation uses non-global regex (repeated phrases survive) — Switched all INJECTION_PATTERNS to /gi and added neutralizeInjectionPatterns() that resets lastIndex before test/replace so every occurrence is blocked. Added a repeated-phrase test asserting no residual attack text and two [blocked] markers.
  • Error-sanitisation test only inspects a 3-line lookahead and the literal name 'errorText' — Rewrote the test to capture every variable assigned from await ....text() (any name), then scan the whole file for that variable leaked via throw new Error(...), JSON.stringify(...), or a direct Response body.
  • Auth-enforcement test passes for any function that merely reads the auth header or contains '401' — Strengthened from .toContain('401') to require a new Response(...) with status: 401 co-located within ~400 chars, so a stray '401' substring no longer satisfies the invariant.
  • Retry backoff double-counts attempts, causing premature give-up and miscalculated delays — Capture priorAttempts before marking syncing, compute the backoff from it, and call onStatusUpdate('syncing') AFTER the backoff wait so the increment lines up with the attempt actually being made; documented the success-path reset.
  • Injection-pattern neutralization only replaces the first match (security) — Same fix as the global-flag finding: patterns are now global and neutralizeInjectionPatterns replaces all occurrences with lastIndex reset to avoid stateful-regex gaps.
  • sanitizeExternalResponse performs no injection-pattern checking (second-order injection) — sanitizeExternalResponse now runs neutralizeInjectionPatterns over external API content before truncation; added a test asserting an 'ignore previous instructions' phrase in external text is replaced with [blocked].
  • Unguarded location.label dereference on untrusted AI config can throw — Guarded both arrays: locations map only keeps items whose label is a string; triggers filter to typeof t === 'string' before toLowerCase().
  • Tracker list re-fetched and overwritten on every navigation, clobbering optimistic additions — Removed currentView from the loadTrackers effect deps (now [user, navigate]); gated the empty-state welcome redirect with a one-shot welcomeRedirectDone ref that resets on logout.
  • TrackerSelector stores literal 'other' as confirmed_interpretation instead of null — Mirrors Dashboard: confirmed_interpretation: selectedInterpretation?.value === 'other' ? null : (selectedInterpretation?.value ?? null).
  • decodeState accepts arbitrary URL-supplied state with no field validation — Added VALID_VIEWS allowlist; decodeState now rejects (returns null) when parsed.view is not a known AppView or trackerId is present but not a string, and returns a normalized {view, trackerId}.
  • Date range picker disables the day of the earliest entry — Disabled predicate now compares date < startOfDay(minDate) (startOfDay already imported) so the earliest entry's own day is selectable.
  • Theme onboarding 'system' branches are dead code — currentMode now reads the baseline-theme-mode localStorage key (the source ThemeSwitcher uses for 'system') and falls back to parsing the next-themes theme string, so system mode is detectable and gets the correct label/tooltip/duration.
  • Theme CTA show-count incremented before the CTA is displayed — Moved the THEME_CTA_COUNT_KEY increment+persist inside the 1500ms setTimeout callback alongside setShowThemeCTA(true), so a quick unmount no longer burns a show from the budget.
  • Forbidden-pattern regex for eval requires a preceding non-dot char — Changed the dynamic-code-execution pattern from a consuming [^.] prefix to a negative lookbehind (?<![.\w]) so a line-leading eval( is detected while .eval( and longer identifiers are excluded.

Decisions / assumptions

  • RLS WITH CHECK fix delivered as a new migration: Two later policy migrations (20260109202650, 20260109202945) are Dashboard stubs with no readable SQL, so I could not statically confirm the live policy text. Rather than edit append-only history, I added a new idempotent migration that DROPs and recreates the tracker_entries/profiles UPDATE policies with WITH CHECK, using the (select auth.uid()) form to match the prior initplan optimization. This is safe to re-apply even if the live policies already differ.
  • Distributed rate limiter now fails closed by default: For endpoints gating paid Gemini calls, denying during a limiter outage is safer than allowing unlimited usage. I made fail-closed the default and added an opt-in failOpen flag for any future non-sensitive endpoint. Callers already translate !allowed into a 429, so the user sees a graceful 'try again later' rather than a fabricated success.
  • Remember-me enforcement signs the user out on browser-close: The UI promises a no-remember session ends on browser close. I implemented the documented behavior (force sign-out when a session exists but neither persistence flag is set) rather than removing the UI promise, since that matches the AuthForm flag-writing logic. Existing 5s getSession timeout protection was preserved.

Verification

npm ci installed deps cleanly (0 vulnerabilities). tsc --noEmit on the src project produced 48 errors that are ALL pre-existing (identical count and set on a fresh main worktree; none reference any file I changed - they are lucide-react deep-import path issues and other base-branch issues, which is why the repo's build script uses tsc -b --noCheck). vitest: with the required VITE_SUPABASE_URL/VITE_SUPABASE_ANON_KEY env vars set, all 13 suites / 315 tests pass, including the prompt-sanitizer, edge-function-security, xss-safety, and configGenerationService suites I touched. Without env vars, 3 suites fail at import time on a missing-env guard in supabaseClient.ts (a harness config issue, not a code regression). eslint on all changed src files: 0 errors (only pre-existing warnings, none on lines I added). deno check passed on both edited edge-function shared files. The new SQL migration is standard idempotent Postgres RLS DDL matching existing migration style (no offline SQL tooling available, but syntax verified by inspection). Did not run e2e/Playwright/dev server per instructions.

Reviewer notes (non-blocking)

  • Scope: configGenerationService.ts also tightened the looksGenericTriggers clause (from trigLabels.length <= 4 && every(...) to length > 0 && every(...)), which the original finding only called out for locations. It is a correct improvement in the same direction and type-safe (config.triggers is string[]), but slightly beyond the stated finding.
  • Behavior change: App.tsx welcome redirect now fires on the first session load whenever the user has zero trackers, regardless of currentView (previously only when currentView==='dashboard'). A zero-tracker user deep-linking to a non-dashboard view will now be redirected to welcome once. This is arguably more correct and matches the documented intent.
  • useAuth: legacy users who authenticated before the remember-me flag system existed will have neither flag set and will be signed out once on next load. One-time minor re-auth, acceptable per the stated decision.
  • Could not execute configGenerationService.test.ts in this sandbox (env-gated import failure in supabaseClient.ts), so the isLikelyGenericConfig/label-guard fix was verified by static reading and type analysis rather than by its unit test.

🤖 Generated with Claude Code

simon-lowes and others added 3 commits June 2, 2026 18:53
@simon-lowes @claude
Fix 25 audited bugs: timezone, CSV, RLS, auth, sanitizer, tests
861a9a7 
Addresses all confirmed audit findings:

Correctness / logic
- interlink-utils: parse YYYY-MM-DD lag keys as LOCAL dates (no UTC off-by-one)
- date-utils: add parseLocalDateString; use it in chart/tooltip formatters
- configGenerationService: drop bare length<=3 generic heuristic and guard
  against malformed location/trigger items (no TypeError on missing label)
- syncService: derive backoff from real prior-attempt count, mark syncing
  after the backoff wait so the counter is not one cycle behind
- App: load trackers once per session (drop currentView dep) with a one-shot
  welcome-redirect ref, preventing optimistic-add clobber and redundant reads
- TrackerSelector: store null (not literal 'other') for confirmed_interpretation
- DateRangePicker: compare against startOfDay(minDate) so earliest entry's day
  remains selectable
- use-theme-onboarding: detect 'system' from baseline-theme-mode key; increment
  CTA show-count only when the CTA is actually shown

Security
- analytics-utils + csv-export: route exports through hardened escapeCSV
  (quote/escape all fields, formula-injection guard); escape v2 headers;
  preserve custom-field data in multi-tracker export via per-tracker sections
- prompt-sanitizer: make injection patterns global so every occurrence is
  neutralized; also neutralize external API content (second-order injection)
- distributed-rate-limiter: fail CLOSED by default on backend errors
  (configurable failOpen) to keep quota enforcement on paid AI endpoints
- migration: add WITH CHECK to tracker_entries/profiles UPDATE RLS policies
- supabaseAuth: only sign out on definitive 401/403 auth errors, keep session
  on transient network/server failures
- useAuth: enforce documented no-remember sign-out on browser-close
- useFormDraft: add enabled flag; PainEntryForm disables draft persistence when
  editing so it cannot clobber the new-entry draft
- stateEncoder: validate decoded view against the known union and trackerId type

Test hardening
- edge-function-security.test: verify a real status:401 Response co-located with
  the auth check; scan whole file for any .text() variable leaked via throw,
  JSON.stringify, or Response body
- prompt-sanitizer.test: add repeated-phrase and external second-order cases
- xss-safety.test: use negative lookbehind so line-leading eval( is detected

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@simon-lowes @claude
Remove redundant WITH CHECK migration (production already protected)
ad46756 
The audit flagged the UPDATE RLS policies on tracker_entries/profiles as
lacking WITH CHECK based on the migration files. Verifying against the live
database (pg_policies + security advisors) shows the policies already carry
WITH CHECK ((select auth.uid()) = user_id/id) — they were tightened and
renamed via the Supabase dashboard, so the change never landed in a migration
file. This migration referenced the old policy names and would have created a
duplicate UPDATE policy in production rather than fixing anything. Removing it.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@simon-lowes @claude
Capture applied DB security migrations into version control
a1a94fb 
Three migrations were applied to the production database to close issues the
code-only audit could not see (Supabase security advisors), now recorded as
migration files (version IDs match the remote migration history, so they are
recognised as already-applied and are rebuild-guarded):

- restrict_maintenance_function_execution: ~19 SECURITY DEFINER admin/maintenance
  functions (cleanup_security_events, cleanup_audit_logs, run_database_maintenance,
  fix_rls_policies, ...) were EXECUTE-able by anon/authenticated via PostgREST RPC.
  Revoked from public/anon/authenticated; service_role retained.
- restrict_tracker_images_listing: dropped the broad authenticated SELECT policy on
  the public tracker-images bucket that allowed cross-user file enumeration.
- restrict_set_ambiguous_terms_trigger_fn: revoked direct EXECUTE on a trigger fn.

Note: the repo migrations remain out of sync with production (much of the live
schema was applied via the Supabase dashboard). A full re-baseline should be done
with `supabase db pull`.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@simon-lowes