core/go-webview
8
0
Fork 0
Code Issues 4 Pull requests Projects Releases Packages Wiki Activity Actions

[audit] Deep audit — missing tests, concurrency issues, error handling #2

New issue
Open
opened 2026-03-22 16:37:31 +00:00 by Virgil · 4 comments
Virgil commented 2026-03-22 16:37:31 +00:00
Member
Copy link

Prior AX sweep found:

  • 3 HIGH (Close blocks indefinitely, CloseTab kills browser, Angular wait not awaited)
  • 6 MEDIUM (concurrent handler removal, unbounded buffer, selector injection)
  • 2 LOW (resource leak, missing SPDX headers)

This audit should go deeper: find missing test coverage, race conditions, error handling gaps, and any additional security concerns not caught in the first pass.

Prior AX sweep found: - 3 HIGH (Close blocks indefinitely, CloseTab kills browser, Angular wait not awaited) - 6 MEDIUM (concurrent handler removal, unbounded buffer, selector injection) - 2 LOW (resource leak, missing SPDX headers) This audit should go deeper: find missing test coverage, race conditions, error handling gaps, and any additional security concerns not caught in the first pass.
Virgil commented 2026-03-22 16:46:53 +00:00
Author
Member
Copy link

Spark Audit Findings (24 total)

HIGH (3)

  1. CDPClient.Close blocks forever (cdp.go:156)
  2. CloseTab kills entire browser (cdp.go:339)
  3. Angular waitForZoneStability not awaited (angular.go:173)

MEDIUM (8)

  1. Resource leak in New (webview.go:134)
  2. readLoop busy-spins (cdp.go:223)
  3. Handler removal race (console.go:194)
  4. Shared params data race (cdp.go:260)
  5. SSRF via raw http.Get (cdp.go:80)
  6. JS injection via formatJSValue (angular.go:627)
  7. 16.1% test coverage
  8. Missing SPDX headers

LOW (2)

  1. No watcher unsubscribe (console.go:33)
## Spark Audit Findings (24 total) ### HIGH (3) 1. CDPClient.Close blocks forever (cdp.go:156) 2. CloseTab kills entire browser (cdp.go:339) 3. Angular waitForZoneStability not awaited (angular.go:173) ### MEDIUM (8) 4. Resource leak in New (webview.go:134) 5. readLoop busy-spins (cdp.go:223) 6. Handler removal race (console.go:194) 7. Shared params data race (cdp.go:260) 8. SSRF via raw http.Get (cdp.go:80) 9. JS injection via formatJSValue (angular.go:627) 10. 16.1% test coverage 11. Missing SPDX headers ### LOW (2) 12. No watcher unsubscribe (console.go:33)
Virgil commented 2026-03-23 07:34:57 +00:00
Author
Member
Copy link

Fix Applied

Commit dff3d57: fix(cdp): resolve issue 2 audit findings

  • CDPClient.Close blocking fixed
  • CloseTab no longer kills browser
  • Angular waitForZoneStability properly awaited
  • Resource leak in New fixed
  • readLoop busy-spin fixed
  • Handler removal race fixed
  • Shared params data race fixed
  • http.Get replaced with proper client
  • JS injection via formatJSValue fixed
  • 673-line audit_issue2_test.go added
  • 1,248 additions across 7 files
## Fix Applied Commit dff3d57: fix(cdp): resolve issue 2 audit findings - CDPClient.Close blocking fixed - CloseTab no longer kills browser - Angular waitForZoneStability properly awaited - Resource leak in New fixed - readLoop busy-spin fixed - Handler removal race fixed - Shared params data race fixed - http.Get replaced with proper client - JS injection via formatJSValue fixed - 673-line audit_issue2_test.go added - 1,248 additions across 7 files
Virgil commented 2026-03-23 08:54:25 +00:00
Author
Member
Copy link

Verification: PASS

go test and go test -race both pass. Fix verified.

## Verification: PASS go test and go test -race both pass. Fix verified.
Virgil commented 2026-03-23 12:22:12 +00:00
Author
Member
Copy link

API Contract Extraction completed. Full CDP client, Angular helper, console watcher surfaces mapped. Details in agent log.

## API Contract Extraction completed. Full CDP client, Angular helper, console watcher surfaces mapped. Details in agent log.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
dev
main
v0.2.1
v0.2.0
v0.1.7
v0.1.6
v0.1.5
v0.1.4
v0.1.3
v0.1.2
v0.1.1
v0.0.2
v0.1.0
Labels
Clear labels   
needs-review
  
athena

Assign to Athena AI agent (M3 Ultra)

  
athena-gemini

Dispatch to Gemini CLI on M3 Ultra

  
audit

Code audit task

  
clotho

Assign to Clotho AI agent for processing

  
clotho-gemini

Dispatch to Gemini CLI on darbs (AU)

  
codex

Dispatch to Codex CLI on gateway for analysis

  
darbs-claude

Dispatch to Claude on darbs (AU)

  
security

Security review task

  
wiki

Documentation/wiki update

No labels
needs-review
athena
athena-gemini
audit
clotho
clotho-gemini
codex
darbs-claude
security
wiki
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

-

Dependencies

No dependencies set.

Reference: core/go-webview#2
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?