RomanNum3ral
/
gstack
mirror of https://github.com/garrytan/gstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
gstack/browse
History
Garry Tan cd85bdc196
fix: CSO security fixes — token leak, domain bypass, input validation 
1. Remove root token from /health endpoint entirely (CSO #1 CRITICAL).
   Origin header is spoofable. Extension reads from ~/.gstack/.auth.json.
2. Add domain check for newtab URL (CSO #5). Previously only goto was
   checked, allowing domain-restricted agents to bypass via newtab.
3. Validate scope values, rateLimit, expiresSeconds in createToken()
   (CSO #4). Rejects invalid scopes and negative values.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 		2026-04-04 23:37:36 -07:00
..
bin feat: multi-agent support — gstack works on Codex, Gemini CLI, and Cursor (v0.9.0) (#226) 2026-03-19 18:20:50 -07:00
scripts fix: Windows support — Node.js server fallback for Playwright (#255) 2026-03-20 12:22:11 -07:00
src fix: CSO security fixes — token leak, domain bypass, input validation 2026-04-04 23:37:36 -07:00
test fix: CSO security fixes — token leak, domain bypass, input validation 2026-04-04 23:37:36 -07:00
SKILL.md feat: interactive /plan-devex-review + plan mode skill fix (v0.15.5.0) (#796) 2026-04-04 14:36:23 -07:00
SKILL.md.tmpl feat: sidebar CSS inspector + per-tab agents (v0.13.9.0) (#650) 2026-03-30 12:51:05 -06:00