chore(security): 2026-07 core security audit report (NOJS-289)#294
Open
ErickXavier wants to merge 1 commit into
Open
chore(security): 2026-07 core security audit report (NOJS-289)#294ErickXavier wants to merge 1 commit into
ErickXavier wants to merge 1 commit into
Conversation
Adversarial, exploitability-first review of NoJS Core v1.20.0 covering the CSP-safe evaluator, plugin/registry/context, HTML + attribute sanitizers, storage persistence, router redirect/guards, head injection, and the SSE + HTTP/fetch layer. Verdict: no exploitable High/Critical/Medium findings under the untrusted-data / third-party-plugin threat model. Sandbox held under runtime battery testing (34/34 XSS-mXSS payloads blocked end-to-end, 41/41 evaluator escape attempts neutralized). Documents 6 LOW defense-in-depth / hardening observations (H1-H6) with fixes, plus an explicit "checked, clean" matrix.
8 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adversarial, exploitability-first security audit of NoJS Core v1.20.0 (NOJS-289, T6 of EPIC NOJS-283). Adds the report at
.github/reviews/security-audit-2026-07.md.Threat model: attacker controls untrusted data (HTTP/SSE bodies, URL/route params, query strings, localStorage) or is a third-party plugin — not the page author.
Verdict: no exploitable High/Critical/Medium findings. The sandbox holds under runtime battery testing against the real built bundle in a jsdom realm.
Coverage
Evaluator sandbox (interpreter + compiled paths), LRU expr-cache poisoning, plugin/registry/context prototype pollution + freeze/wildcard bypass, HTML + attribute sanitizers, storage persistence, router redirect/guards,
page-jsonldhead injection, and the SSE + HTTP/fetch layer (redaction, CSRF origin gate, cache keys).Runtime evidence
bind-html→_sanitizeHtml→ liveinnerHTML.constructor.constructor,Function/eval, reflection walks, realm escapes, string-timer callbacks).Hardening backlog (all LOW, none exploitable — no issues filed)
withCredentialswhen EventSource origin ≠ location.origin_isSafeRedirectaccepts//host//internals.removeCoreDirectivefreeze bypassinternalsor document plugins as fully trustednoembed/noframes/plaintext(defense-in-depth)H4 and H6 are one-line, zero-risk — candidates for the v1.20.1 patch.
Report-only; no code changes.