Skip to content

chore(security): 2026-07 core security audit report (NOJS-289)#294

Open
ErickXavier wants to merge 1 commit into
mainfrom
chore/NOJS-289
Open

chore(security): 2026-07 core security audit report (NOJS-289)#294
ErickXavier wants to merge 1 commit into
mainfrom
chore/NOJS-289

Conversation

@ErickXavier

Copy link
Copy Markdown
Collaborator

Summary

Adversarial, exploitability-first security audit of NoJS Core v1.20.0 (NOJS-289, T6 of EPIC NOJS-283). Adds the report at .github/reviews/security-audit-2026-07.md.

Threat model: attacker controls untrusted data (HTTP/SSE bodies, URL/route params, query strings, localStorage) or is a third-party plugin — not the page author.

Verdict: no exploitable High/Critical/Medium findings. The sandbox holds under runtime battery testing against the real built bundle in a jsdom realm.

Coverage

Evaluator sandbox (interpreter + compiled paths), LRU expr-cache poisoning, plugin/registry/context prototype pollution + freeze/wildcard bypass, HTML + attribute sanitizers, storage persistence, router redirect/guards, page-jsonld head injection, and the SSE + HTTP/fetch layer (redaction, CSRF origin gate, cache keys).

Runtime evidence

  • 34/34 XSS/mXSS payloads blocked end-to-end through bind-html_sanitizeHtml → live innerHTML.
  • 41/41 evaluator escape expressions neutralized (constructor.constructor, Function/eval, reflection walks, realm escapes, string-timer callbacks).

Hardening backlog (all LOW, none exploitable — no issues filed)

ID Area Fix
H1 Credentialed SSE same-origin parity block withCredentials when EventSource origin ≠ location.origin
H2 Request-interceptor URL/body redaction parity redact URL params for untrusted request interceptors
H3 Cache key ignores auth/credentials add credentials discriminator to cache key
H4 _isSafeRedirect accepts //host reject protocol-relative //
H5 internals.removeCoreDirective freeze bypass gate internals or document plugins as fully trusted
H6 Sanitizer blocklist omits always-rawtext tags add noembed/noframes/plaintext (defense-in-depth)

H4 and H6 are one-line, zero-risk — candidates for the v1.20.1 patch.

Report-only; no code changes.

Adversarial, exploitability-first review of NoJS Core v1.20.0 covering
the CSP-safe evaluator, plugin/registry/context, HTML + attribute
sanitizers, storage persistence, router redirect/guards, head injection,
and the SSE + HTTP/fetch layer.

Verdict: no exploitable High/Critical/Medium findings under the
untrusted-data / third-party-plugin threat model. Sandbox held under
runtime battery testing (34/34 XSS-mXSS payloads blocked end-to-end,
41/41 evaluator escape attempts neutralized). Documents 6 LOW
defense-in-depth / hardening observations (H1-H6) with fixes, plus an
explicit "checked, clean" matrix.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant