aaron/graphs #2702
aaron/graphs #2702
Conversation
aaronvg
temporarily deployed
to
boundary-tools-dev
GitHub Actions
Inactive
aaronvg
temporarily deployed
to
boundary-tools-dev
GitHub Actions
Inactive
aaronvg
temporarily deployed
to
boundary-tools-dev
GitHub Actions
Inactive
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
🌿 Preview your docs: https://boundary-preview-f307442b-c983-49b5-9b4c-7b96b6904019.docs.buildwithfern.com |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| // Main message handler - routes IDE/LSP messages to SDK methods | ||
| useEffect(() => { | ||
| const fn = (event: MessageEvent<VscodeToWebviewCommand>) => { | ||
| const handler = async (event: MessageEvent<VscodeToWebviewCommand>) => { |
Check warning
Code scanning / CodeQL
Missing origin verification in `postMessage` handler Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 12 days ago
To address this issue, we need to verify the event.origin property in the main 'message' event handler before any processing occurs. This means modifying the handler function (defined at line 95) so that it only routes messages if they originate from a trusted source.
General steps:
- Define an allow-list of trusted origins (for example: only
window.origin, or a set of specific URLs, whatever fits the application's security model). - In the handler, early return if
event.origindoes not match a trusted origin. - Optionally, add logging for denied origins.
Best way in this code:
- Since the handler runs in the webview/SPA, and likely only communicates with itself (e.g., the origin of the webapp), use
window.location.originas the only trusted origin. - Add a check:
if (event.origin !== window.location.origin) { return; }at the beginning of the handler.- Optionally, log or warn if a message is ignored for documentation/debugging.
- These changes are all done inside the existing handler definition, and no additional dependencies are needed.
Files/lines to change:
Edit typescript/packages/playground-common/src/baml_wasm_web/EventListener.tsx, inside the handler defined at line 95.
No external imports or new methods are needed.
| @@ -93,6 +93,11 @@ | ||
| // Main message handler - routes IDE/LSP messages to SDK methods | ||
| useEffect(() => { | ||
| const handler = async (event: MessageEvent<VscodeToWebviewCommand>) => { | ||
| // Only accept messages from same origin | ||
| if (event.origin !== window.location.origin) { | ||
| console.warn('[EventListener] Ignoring message from untrusted origin:', event.origin); | ||
| return; | ||
| } | ||
| const { source, payload } = event.data; | ||
| console.debug('[EventListener] Handling command:', { source, payload }); | ||
|
|
aaronvg
had a problem deploying
to
boundary-tools-dev
GitHub Actions
Error
aaronvg
had a problem deploying
to
boundary-tools-dev
GitHub Actions
Error
aaronvg
had a problem deploying
to
boundary-tools-dev
GitHub Actions
Error
aaronvg
temporarily deployed
to
boundary-tools-dev
GitHub Actions
Inactive
aaronvg
temporarily deployed
to
boundary-tools-dev
GitHub Actions
Inactive
aaronvg
temporarily deployed
to
boundary-tools-dev
GitHub Actions
Inactive
|
🌿 Preview your docs: https://boundary-preview-acdb8e1a-2938-4741-b7db-86e8cc7bfb43.docs.buildwithfern.com |
aaronvg
temporarily deployed
to
boundary-tools-dev
GitHub Actions
Inactive
aaronvg
temporarily deployed
to
boundary-tools-dev
GitHub Actions
Inactive
aaronvg
temporarily deployed
to
boundary-tools-dev
GitHub Actions
Inactive
aaronvg
temporarily deployed
to
boundary-tools-dev
GitHub Actions
Inactive
|
🌿 Preview your docs: https://boundary-preview-1927b766-0156-4b4d-846f-93bc8d508147.docs.buildwithfern.com |
aaronvg
temporarily deployed
to
boundary-tools-dev
GitHub Actions
Inactive
aaronvg
temporarily deployed
to
boundary-tools-dev
GitHub Actions
Inactive
aaronvg
temporarily deployed
to
boundary-tools-dev
GitHub Actions
Inactive
|
🌿 Preview your docs: https://boundary-preview-5a1a9683-eb9e-443c-b7b7-a1c34305471c.docs.buildwithfern.com |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| ? outsidePoint.y - h - y | ||
| : y - h - outsidePoint.y; | ||
| r = (R * q) / Q; | ||
| const res = { |
There was a problem hiding this comment.
Bug: Division by Zero: Order of Operations Flaw
Division by zero vulnerability when Q equals zero. At line 73, r = (R * q) / Q performs division without checking if Q is zero. While there's a check if (Q === 0) at line 87 that sets res.y, the division at line 73 executes first and will produce Infinity or NaN when Q is zero, corrupting the calculation before the check can fix it. The check should occur before the division.
| r = x - w - outsidePoint.x; | ||
| } | ||
| const q = (Q * r) / R; | ||
| let _x = |
There was a problem hiding this comment.
Bug: Division by Zero: Check Order Matters
Division by zero vulnerability when R equals zero. At line 100, const q = (Q * r) / R performs division without checking if R is zero. While there's a check if (R === 0) at line 108 that sets _x, the division at line 100 executes first and will produce Infinity or NaN when R is zero, corrupting the calculation before the check can fix it. The check should occur before the division.
| return runtime?.getWorkflows() ?? []; | ||
| }, (get, set, update: FunctionWithCallGraph[]) => { | ||
| set(workflowsAtom, update); | ||
| }); |
There was a problem hiding this comment.
Bug: Atom Write Recursion: Breaking the Jotai Model
Infinite recursion in workflowsAtom write function. The setter calls set(workflowsAtom, update) which recursively invokes itself, causing a stack overflow. The write function should update an internal state atom rather than calling itself. This pattern breaks Jotai's derived atom model where the read function should be the source of truth derived from runtimeInstanceAtom.
aaronvg
temporarily deployed
to
boundary-tools-dev
GitHub Actions
Inactive
aaronvg
temporarily deployed
to
boundary-tools-dev
GitHub Actions
Inactive
aaronvg
temporarily deployed
to
boundary-tools-dev
GitHub Actions
Inactive
|
🌿 Preview your docs: https://boundary-preview-c601fb96-5fac-4ac6-903e-dfcf6dd6cdd7.docs.buildwithfern.com |
aaronvg
temporarily deployed
to
boundary-tools-dev
GitHub Actions
Inactive
aaronvg
temporarily deployed
to
boundary-tools-dev
GitHub Actions
Inactive
aaronvg
temporarily deployed
to
boundary-tools-dev
GitHub Actions
Inactive
|
🌿 Preview your docs: https://boundary-preview-935ee4be-e43e-46ec-80a5-8a6d4fb778ed.docs.buildwithfern.com |
Note
Refactors playground to use a new SDK-based runtime/selection model, adds ReactFlow workflow graph with auto‑layout and detail panel, centralizes navigation/test execution, and replaces direct WASM/mermaid paths.
BamlRuntime(WASM) andMockBamlRuntime, unified interface/types, andJotaiStoragefor state.unifiedSelectionAtomwithSelectionBridge.navigationHeuristic) and cursor/test selection syncing.GraphView) + ELK auto‑layout, custom nodes/edges, and camera pan utilities.DetailPanel(I/O, logs, history) and workflow UI components (toolbar/indicator).tests.run/runAll/cancel), adds watch notifications, flashing regions, and history atoms.renderPromptForTest/renderCurlForTest), updates media rendering and token stats.UnifiedPromptPreview, introduces bottom panel switching, updates sidebar and function/test items.Written by Cursor Bugbot for commit ec4b57c. This will update automatically on new commits. Configure here.