Skip to content

Fix bugs and security vulnerabilities #15

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
PiotrTrzpil merged 1 commit into from
Feb 2, 2026
Merged

Fix bugs and security vulnerabilities #15

PiotrTrzpil merged 1 commit into from
Feb 2, 2026

Conversation

@PiotrTrzpil
Copy link
Owner

@PiotrTrzpil PiotrTrzpil commented Feb 2, 2026

Summary

This PR fixes several bugs and security vulnerabilities that were preventing the code from compiling and could cause runtime issues.

Bug Fixes

  • index.ts: Fix Main class instantiation - was calling constructor without required actions argument
  • index.ts: Fix error handling - error.message would crash on non-Error objects
  • SelectionSets.ts: Fix integer parsing - parseInt('0') returns 0 which is falsy, causing 0 to be treated as a string instead of an integer
  • QueryRunner.ts:142: Fix wrong variable - was using errors (from validation) instead of result.errors
  • Actions.ts: Fix iteration over generator - use for...of instead of for...in
  • CommandRunner.ts, FieldInterpreter.ts: Fix type mismatch - use GraphQLOutputType instead of GraphQLNamedType

Security Fixes

  • SchemaConnection.ts: Add path traversal protection for schema cache files
    • Sanitize project names to only allow alphanumeric characters, hyphens, and underscores
    • Validate that resolved file paths stay within the working directory
    • Prevents attackers from using ../ sequences to read/write files outside the intended directory

Impact

These changes fix compilation errors that prevented the code from building. The code now compiles successfully with npm run compile.

🤖 Generated with Claude Code

@PiotrTrzpil @claude
Fix bugs and security vulnerabilities
1c74897 
Bug fixes:
- Fix Main class instantiation without required arguments (index.ts)
- Fix error handling for non-Error objects in catch block (index.ts)
- Fix integer parsing bug where '0' was treated as string (SelectionSets.ts)
- Fix wrong variable used in error handling (QueryRunner.ts:142)
- Fix iteration over generator using for...of instead of for...in (Actions.ts)
- Fix type mismatch: use GraphQLOutputType instead of GraphQLNamedType (CommandRunner.ts, FieldInterpreter.ts)

Security fixes:
- Add path traversal protection for schema cache files (SchemaConnection.ts)
  - Sanitize project names to only allow alphanumeric, hyphens, underscores
  - Validate resolved paths stay within working directory

These changes fix compilation errors that prevented the code from building.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@PiotrTrzpil PiotrTrzpil merged commit fa53b60 into master Feb 2, 2026
1 check failed
@PiotrTrzpil PiotrTrzpil deleted the fix-bugs-and-security branch February 2, 2026 22:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@PiotrTrzpil