v0.1.1: security & correctness fixes from external review#1
Merged
StuartMeeks merged 2 commits intomainfrom May 3, 2026
Merged
v0.1.1: security & correctness fixes from external review#1StuartMeeks merged 2 commits intomainfrom
StuartMeeks merged 2 commits intomainfrom
Conversation
- lock before staging mutation (prevents concurrent installer wiping another installer's in-flight staging dir on its way to losing the lock race) - rollback swap on copy failure (restore from .old/ instead of leaving a half-populated install dir) - validate asset name (reject path separators, parent refs, rooted paths — closes a path-traversal vector for malicious sources) - enforce HTTPS in HttpManifestSource by default (plain HTTP defeats SHA-256 verification because the SHA itself is MITM-able); opt in via SelfUpdaterOptions.AllowInsecureManifestSource for tests / dev - TOCTOU-safe install path: UpdateCommand fetches the release once and installs that exact instance. Adds ISelfUpdater.GetLatestRelease Async + InstallAsync(RemoteRelease, ...) overload; keeps parameterless InstallAsync as a documented convenience - realign csproj with sibling repos: GeneratePackageOnBuild only on Release; PackageOutputPath moved from C:\\nuget-local to artifacts/packages (platform-neutral, repo-local, gitignored) 150 tests, all passing (was 125). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Matches the CHANGELOG entry for the security & correctness fixes in this branch. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Six findings from an OpenAI Code review of v0.1.0, all addressed:
Swaprolls back from.old/on copy failure. NewRestoreFromOldhelper, tested directly + via deterministic Phase 2 failure scenario.ValidateAssetNamerejects path separators, parent refs, rooted paths, and any name whosePath.GetFileNamedoesn't round-trip — closes a path-traversal vector.HttpManifestSourcerejects non-HTTPS manifest URLs and non-HTTPS asset URLs by default (plain HTTP defeats SHA-256 verification). Opt in via newSelfUpdaterOptions.AllowInsecureManifestSource.ISelfUpdater.GetLatestReleaseAsync()+InstallAsync(RemoteRelease, …)overload.UpdateCommandfetches the release once and installs that exact instance. ParameterlessInstallAsyncretained as a documented convenience.GeneratePackageOnBuildis Release-only;PackageOutputPathmoved fromC:\nuget-local\to$(MSBuildThisFileDirectory)..\..\artifacts\packages(platform-neutral, repo-local, gitignored). CI no longer needs-p:PackageOutputPath=override.Version bumped to 0.1.1.
Test plan
dotnet build --configuration Releaseclean (TreatWarningsAsErrors)dotnet test --configuration Release— 150 tests, 0 failures (was 125)dotnet build --configuration Debugno longer auto-packs (verified locally; no.nupkgproduced)dotnet build --configuration Releasepacks toartifacts/packages/(no strayC:/dir)🤖 Generated with Claude Code