Skip to content

fix #5540

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 10, 2025
Merged

fix #5540

merged 1 commit into from
Jul 10, 2025

Conversation

@liwilliam2021
Copy link
Contributor

@liwilliam2021 liwilliam2021 commented Jul 10, 2025
edited by ellipsis-dev bot
Loading

Thanks to someone from Roo Vet for pointing out this bug.

The Roo Code extension had a security vulnerability where users could bypass organizational MDM (Mobile Device Management) policies by opening the extension in a new tab/window. The openClineInNewTab function was creating new ClineProvider instances without passing the MDM service parameter, but patched now!

Important

Fix security vulnerability by passing MdmService to ClineProvider in openClineInNewTab() to enforce MDM policies.

  • Security Fix:
    • In openClineInNewTab() in registerCommands.ts, ensure MdmService instance is passed to ClineProvider to enforce MDM policies.
    • Handles case where MdmService is not initialized by setting it to undefined.
  • Misc:
    • Add import for MdmService in registerCommands.ts.

This description was created by Ellipsis for b8923df. You can customize this summary. It will automatically update as commits are pushed.

@liwilliam2021 liwilliam2021 requested review from cte, jr and mrubens as code owners July 10, 2025 00:52
@dosubot dosubot bot added size:S This PR changes 10-29 lines, ignoring generated files. bug Something isn't working labels Jul 10, 2025
@delve-auditor
Copy link

delve-auditor bot commented Jul 10, 2025

No security or compliance issues detected. Reviewed everything up to b8923df.

Security Overview
  • 🔎 Scanned files: 1 changed file(s)
Detected Code Changes
Change Type Relevant files
Enhancement ► registerCommands.ts
    Add MDM service integration to ClineProvider

Reply to this PR with @delve-auditor followed by a description of what change you want and we'll auto-submit a change to this PR to implement it.

mrubens
mrubens approved these changes Jul 10, 2025
View reviewed changes
Copy link
Collaborator

@mrubens mrubens left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

@dosubot dosubot bot added the lgtm This PR has been approved by a maintainer label Jul 10, 2025
@mrubens mrubens merged commit 08c9420 into main Jul 10, 2025
21 of 22 checks passed
@mrubens mrubens deleted the will/new-window-mdm-fix branch July 10, 2025 00:57
@github-project-automation github-project-automation bot moved this from New to Done in Roo Code Roadmap Jul 10, 2025
@github-project-automation github-project-automation bot moved this from Triage to Done in Roo Code Roadmap Jul 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrubens mrubens mrubens approved these changes

@cte cte Awaiting requested review from cte cte is a code owner

@jr jr Awaiting requested review from jr jr is a code owner

Assignees

No one assigned

Labels

bug Something isn't working lgtm This PR has been approved by a maintainer size:S This PR changes 10-29 lines, ignoring generated files.

Projects

Roo Code Roadmap
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@liwilliam2021 @mrubens