Skip to content

Security hardening and robustness fixes for Docker scripts and session injection #1345

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
damsleth merged 6 commits into from
Feb 4, 2026
Merged

Security hardening and robustness fixes for Docker scripts and session injection #1345

damsleth merged 6 commits into from
Feb 4, 2026

Conversation

Copy link
Contributor

Copilot AI commented Feb 4, 2026
edited
Loading

Your checklist for this pull request

  • Make sure you are requesting to pull a feature/bugfix branch (right side).
  • Make sure you are making a pull request against the dev branch (left side). Also you should start your branch off our dev branch.
  • Check your code additions locally using npm run watch
  • Make sure strings/resources are added using our resource files
  • Make sure CHANGELOG.md is updated if applicable
  • Make sure Smoke tests are updated if applicable

Review checklist

  • Tested locally

Review theme song

🎵 Tool - Forty Six & 2 🎵

Description

Addresses security vulnerabilities and robustness issues in the session injection endpoint and Docker environment scripts.

Session Injection Endpoint Security

  • Changed GET to POST to prevent accidental triggering by prefetchers/crawlers
  • Added SESSION_INJECTION_SECRET with crypto.timingSafeEqual() for timing-attack resistance
  • Enforced NODE_ENV=development guard
  • Session regeneration before injection prevents fixation attacks
  • Allowlist pattern (passport field only) replaces unsafe Object.assign
  • Open redirect protection validates internal relative paths only

Docker Script Robustness

  • Normalized COMPOSE_PROJECT_NAME for Docker Compose compatibility (lowercase, alphanumeric+hyphens)
  • Replaced .env file sourcing (code execution risk) with safe key-value parsing
  • Handles base64 values containing = characters correctly
  • Quote-wrapped YAML environment values prevent truncation from # or =
  • Added docker compose version validation check
  • DRY principle: single source of truth for environment variable allowlist

Documentation

  • Replaced hardcoded port 9142 with dynamic ${APP_URL} references
  • Updated examples to POST with X-Injection-Secret header

Before:

curl http://localhost:9142/auth/inject-session

After:

curl -X POST "${APP_URL}/auth/inject-session" \
  -H "X-Injection-Secret: ${SESSION_INJECTION_SECRET}"

How to test

  1. Check out locally with gh: gh pr checkout 1342
  2. Run ./scripts/agent-setup.sh in a worktree with special characters (e.g., Test.Branch-123)
  3. Verify Docker Compose project name is normalized and containers start successfully
  4. Set TEST_SESSION_COOKIE and SESSION_INJECTION_SECRET environment variables
  5. Test session injection endpoint with correct and incorrect secrets
  6. Verify redirect URL validation prevents open redirects

Related PRs

Addresses all review comments from PR #1342

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI mentioned this pull request Feb 4, 2026
Merged
Copilot AI and others added 5 commits February 4, 2026 14:52
@damsleth
fix: apply security and robustness improvements from code review
65247a0 
Co-authored-by: damsleth <7300548+damsleth@users.noreply.github.com>
@damsleth
fix: add timing-safe comparison and handle edge cases
8fc6be9 
Co-authored-by: damsleth <7300548+damsleth@users.noreply.github.com>
@damsleth
fix: add buffer length check and improve .env parsing robustness
d6ae742 
Co-authored-by: damsleth <7300548+damsleth@users.noreply.github.com>
@damsleth
refactor: use case-insensitive header lookup and DRY principle
67f72ed 
Co-authored-by: damsleth <7300548+damsleth@users.noreply.github.com>
@damsleth
fix: correct quote stripping pattern and use consistent session indexing
eea609f 
Co-authored-by: damsleth <7300548+damsleth@users.noreply.github.com>
Copilot AI changed the title [WIP] Refactor Docker scripts and enhance session management Security hardening and robustness fixes for Docker scripts and session injection Feb 4, 2026
Copilot AI requested a review from damsleth February 4, 2026 15:00
@damsleth damsleth marked this pull request as ready for review February 4, 2026 15:30
@damsleth damsleth merged commit 64fcfc6 into feat/agent-setup Feb 4, 2026
1 check was pending
@damsleth damsleth deleted the copilot/sub-pr-1342 branch February 4, 2026 15:34
damsleth added a commit that referenced this pull request Feb 4, 2026
@damsleth
unified docker.sh script for improved docker management (#1342)
cce80c7 
* Refactor Docker scripts and enhance session management

- Replaced docker-dev.sh with a unified docker.sh script for improved Docker management.
- Removed docker-quickstart.sh and validate-docker.sh as they are no longer needed.
- Introduced agent-setup.sh and agent-teardown.sh for hands-off Docker environment setup for agent worktrees.
- Updated package.json to reflect new script paths and commands.
- Added session injection endpoint in auth.ts for testing purposes, allowing agents to authenticate without OAuth.
- Enhanced logging and error handling across scripts for better debugging and user feedback.

* fix: session injection env handling

* Security hardening and robustness fixes for Docker scripts and session injection (#1345)

* Initial plan

* fix: apply security and robustness improvements from code review

Co-authored-by: damsleth <7300548+damsleth@users.noreply.github.com>

* fix: add timing-safe comparison and handle edge cases

Co-authored-by: damsleth <7300548+damsleth@users.noreply.github.com>

* fix: add buffer length check and improve .env parsing robustness

Co-authored-by: damsleth <7300548+damsleth@users.noreply.github.com>

* refactor: use case-insensitive header lookup and DRY principle

Co-authored-by: damsleth <7300548+damsleth@users.noreply.github.com>

* fix: correct quote stripping pattern and use consistent session indexing

* Add SESSION_INJECTION_SECRET to Environment type definition (#1348)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@damsleth damsleth Awaiting requested review from damsleth

Assignees

@damsleth damsleth

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@damsleth