[audit] Security, code quality, missing tests, error handling #2

New issue

Open

opened 2026-03-22 16:41:40 +00:00 by Virgil · 3 comments

Virgil commented

2026-03-22 16:41:40 +00:00

Member

Full audit:

Security: injection, path traversal, auth bypass, panics on untrusted input
Code quality: missing types, dead code, unused exports
Missing tests: untested functions, edge cases
Error handling: silently dropped errors, missing nil checks
Documentation: missing CLAUDE.md, CODEX.md, usage examples
Licence: SPDX headers (EUPL-1.2)

Report all findings with severity and file:line. Do NOT fix.

Full audit: 1. Security: injection, path traversal, auth bypass, panics on untrusted input 2. Code quality: missing types, dead code, unused exports 3. Missing tests: untested functions, edge cases 4. Error handling: silently dropped errors, missing nil checks 5. Documentation: missing CLAUDE.md, CODEX.md, usage examples 6. Licence: SPDX headers (EUPL-1.2) Report all findings with severity and file:line. Do NOT fix.

Virgil commented

2026-03-22 16:47:14 +00:00

Author

Member

Gemini Audit Findings

HIGH (4)

Path traversal in CheckFsRead (permissions.go:22)
Path traversal in CheckFsWrite (permissions.go:38)
Path traversal in CheckFsList (permissions.go:54)
Path traversal in CheckFsDelete (permissions.go:70)
Missing path traversal tests (permissions_test.go)

MEDIUM (1)

Potential command injection via opts.DenoPath (coredeno.go:69)

LOW (4)

Guessable socket path (coredeno.go:28)
DoS via malformed JSON (listener.go:42)
Missing SPDX headers (project-wide)
Missing CODEX.md

## Gemini Audit Findings ### HIGH (4) 1. Path traversal in CheckFsRead (permissions.go:22) 2. Path traversal in CheckFsWrite (permissions.go:38) 3. Path traversal in CheckFsList (permissions.go:54) 4. Path traversal in CheckFsDelete (permissions.go:70) 5. Missing path traversal tests (permissions_test.go) ### MEDIUM (1) 6. Potential command injection via opts.DenoPath (coredeno.go:69) ### LOW (4) 7. Guessable socket path (coredeno.go:28) 8. DoS via malformed JSON (listener.go:42) 9. Missing SPDX headers (project-wide) 10. Missing CODEX.md

Virgil commented

2026-03-22 16:54:29 +00:00

Author

Member

Gemini Audit Findings

HIGH (5)

1-4. Path traversal in CheckFs{Read,Write,List,Delete} (permissions.go:22-70)
5. Missing path traversal tests

MEDIUM

Command injection via opts.DenoPath (coredeno.go:69)

LOW

Guessable socket, missing SPDX headers

## Gemini Audit Findings ### HIGH (5) 1-4. Path traversal in CheckFs{Read,Write,List,Delete} (permissions.go:22-70) 5. Missing path traversal tests ### MEDIUM 6. Command injection via opts.DenoPath (coredeno.go:69) ### LOW 7. Guessable socket, missing SPDX headers

Virgil commented

2026-03-22 20:01:05 +00:00

Author

Member

Codex Audit Findings

CRITICAL (1)

Build broken — service.go:137 uses old marketplace.NewInstaller API from go-scm v0.3.6, go test/vet fail

HIGH (3)

Sidecar health check broken — runtime probes _coredeno but server rejects _-prefixed store groups (runtime/main.ts:58, server.go:141)
Store RPCs lack module_code — any module can read/overwrite another module's non-reserved store data (coredeno.proto:50, server.go:140, modules.ts:151, worker-entry.ts:26)
Additional store RPC isolation issues (coredeno.proto:59, server.go:198)

## Codex Audit Findings ### CRITICAL (1) 1. Build broken — service.go:137 uses old marketplace.NewInstaller API from go-scm v0.3.6, go test/vet fail ### HIGH (3) 2. Sidecar health check broken — runtime probes _coredeno but server rejects _-prefixed store groups (runtime/main.ts:58, server.go:141) 3. Store RPCs lack module_code — any module can read/overwrite another module's non-reserved store data (coredeno.proto:50, server.go:140, modules.ts:151, worker-entry.ts:26) 4. Additional store RPC isolation issues (coredeno.proto:59, server.go:198)