Skip to content

Code review summary: usability breakages and safety/stability gaps #76

Open
Open
Code review summary: usability breakages and safety/stability gaps#76
@dragonheartcra

Description

@dragonheartcra
dragonheartcra
opened on Feb 12, 2026

Summary

I reviewed the current codebase and found several issues that impact core usability and stability. The app is usable for basic chat flows, but some advanced workflows are currently broken or inconsistent.

Impact

  • Basic chat works in most cases.
  • File mention (@...) and some MCP flows are currently unreliable/broken.
  • There are avoidable safety/stability risks in upload and file-serving paths.

Findings

1) @ file mention flow is effectively broken (frontend/backend contract mismatch)

  • Frontend sends session_id / q to /api/files.
  • Backend /api/files now requires dir and rejects missing dir with 400.
  • Result: file mention suggestions fail.

Relevant code:

  • src/components/chat/MessageInput.tsx (fetch to /api/files with session_id, q)
  • src/app/api/files/route.ts (requires dir)

2) MCP add flow for sse/http fails due to validation mismatch

  • MCP editor allows sse/http with url and empty command (expected).
  • Backend POST /api/plugins/mcp still requires server.command for all types.
  • Result: adding sse/http server fails despite valid form data.

Relevant code:

  • src/components/plugins/McpServerEditor.tsx
  • src/app/api/plugins/mcp/route.ts

3) Attachment files are written twice and can collide on filename

  • Upload files are saved in /api/chat and again in claude-client path handling.
  • Both paths use timestamp-based naming (Date.now() + sanitized name), which can collide under same-ms writes.
  • Result: unnecessary I/O, potential overwrite/collision risk.

Relevant code:

  • src/app/api/chat/route.ts
  • src/lib/claude-client.ts

4) /api/uploads path check is too weak

  • Current guard only checks resolved.includes('.codepilot-uploads').
  • No strict base-dir boundary validation and no explicit isFile check before read.
  • Result: fragile safety boundary and avoidable runtime errors.

Relevant code:

  • src/app/api/uploads/route.ts

5) File security policy is inconsistent across folder picker vs file APIs

  • Folder picker allows browsing arbitrary directories.
  • File APIs (/api/files, /api/files/preview) enforce baseDir/home constraints.
  • Result: user can select a folder that later fails with 403 in file tree/preview.

Relevant code:

  • src/app/api/files/browse/route.ts
  • src/app/api/files/route.ts
  • src/app/api/files/preview/route.ts

6) Some API routes return stack traces in response body

  • Several endpoints return error.stack || error.message directly.
  • This can leak server internals/paths to clients.

Relevant code:

  • src/app/api/chat/sessions/route.ts
  • src/app/api/claude-sessions/route.ts
  • src/app/api/claude-sessions/import/route.ts

Suggested Fix Order

  1. Fix @ mention contract mismatch (/api/files request/response contract).
  2. Fix MCP sse/http server validation in backend.
  3. Consolidate attachment persistence into a single write path and use collision-safe IDs (UUID/nanoid).
  4. Harden /api/uploads boundary checks using strict path-safe guard + file type checks.
  5. Unify folder-selection and file-access trust boundary behavior.
  6. Stop returning stack traces to clients; log stack server-side only.

Tests To Add

  • Integration test for @ file mention suggestions (frontend request contract + API response).
  • MCP API tests for stdio, sse, http create/update paths.
  • Upload route tests for path traversal/boundary enforcement and isFile behavior.
  • Regression test for file attachment write path (single write + unique naming).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions