chore: add security scans (#480)

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Author: sebastienfontaine

.github/workflows/ci.yml

@@ -1,5 +1,9 @@
 name: CI
 
+permissions:
+  contents: read
+  security-events: write
+
 on:
   push:
     branches:
@@ -33,3 +37,94 @@ jobs:
         # Only works if you set `reportOnFailure: true` in your vite config as specified above
         if: always()
         uses: davelosert/vitest-coverage-report-action@v2
+
+  gitleaks_scan:
+    name: Gitleaks Secret Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Fetch all history for all branches and tags
+
+      - name: Run Gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}  # Only needed for Gitleaks Enterprise
+
+      - name: Upload Gitleaks SARIF as artifact
+        if: always() && hashFiles('results.sarif') != ''
+        uses: actions/upload-artifact@v4
+        with:
+          name: gitleaks-scan-results
+          path: results.sarif
+
+      - name: Upload Gitleaks SARIF to Code Scanning
+        if: always() && hashFiles('results.sarif') != ''
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+          category: gitleaks
+
+  dependency_audit:
+    name: Dependency Vulnerability Audit
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        node-version: [20.x]
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ matrix.node-version }}
+
+      - name: Install dependencies
+        run: yarn install --frozen-lockfile
+
+      - name: Audit dependencies (high severity and above)
+        run: npx --yes audit-ci --package-manager yarn --severity high
+
+  clamav_malware_scan:
+    name: ClamAV Malware Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install ClamAV
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y clamav clamav-daemon
+
+      - name: Update ClamAV database
+        run: |
+          sudo systemctl stop clamav-freshclam || true
+          sudo freshclam --verbose
+
+      - name: Scan repository with ClamAV
+        run: |
+          echo "Starting ClamAV scan of repository..."
+          clamscan -r -i --exclude-dir=node_modules --exclude-dir=.git --exclude-dir=dist . > clamav-scan.log 2>&1 || true
+          cat clamav-scan.log
+
+      - name: Check for infections
+        run: |
+          if grep -q "Infected files: 0" clamav-scan.log; then
+            echo "✅ No malware detected!"
+            exit 0
+          else
+            echo "❌ Malware detected! Check the scan log."
+            grep "FOUND" clamav-scan.log || true
+            exit 1
+          fi
+
+      - name: Upload ClamAV scan log
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: clamav-scan-log
+          path: clamav-scan.log

.gitignore

@@ -32,3 +32,7 @@ dummy-*
 html/
 
 tsconfig.tsbuildinfo
+
+# Claude Code configuration
+.claude/
+CLAUDE.md

docs/SECURITY.md

@@ -0,0 +1,223 @@
+# Security
+
+This document describes security measures implemented in Tab Modifier.
+
+## CI/CD Security Scanning
+
+Tab Modifier uses multiple security scanning tools in the CI/CD pipeline to ensure code quality and security:
+
+### 1. ClamAV Malware Scan
+- **Purpose**: Detects viruses, trojans, and other malware in the codebase
+- **Frequency**: On every push to any branch
+- **Configuration**: `.github/workflows/ci.yml` - `clamav_malware_scan` job
+- **Coverage**: Scans all files except `node_modules`, `.git`, and `dist`
+- **Action on detection**: Pipeline fails if malware is detected
+
+### 2. Semgrep SAST (Static Application Security Testing)
+- **Purpose**: Detects security vulnerabilities and code quality issues
+- **Configuration**: `.github/workflows/ci.yml` - `semgrep_scan` job
+- **Results**: Uploaded to GitHub Security Dashboard as SARIF
+
+### 3. CodeQL SAST
+- **Purpose**: Advanced semantic code analysis for security vulnerabilities
+- **Configuration**: `.github/workflows/ci.yml` - `codeql_sast` job
+- **Queries**: `security-extended` and `security-and-quality`
+- **Results**: Uploaded to GitHub Security Dashboard
+
+### 4. Gitleaks Secret Scan
+- **Purpose**: Detects hardcoded secrets, API keys, and credentials
+- **Configuration**: `.github/workflows/ci.yml` - `gitleaks_scan` job
+- **Action**: Official `gitleaks/gitleaks-action@v2`
+- **Scope**: Full git history scan (`fetch-depth: 0`)
+- **Results**: Uploaded to GitHub Security Dashboard as SARIF
+- **Action on detection**: Pipeline fails if secrets are found
+
+### 5. Dependency Vulnerability Audit
+- **Purpose**: Checks for known vulnerabilities in npm/yarn dependencies
+- **Configuration**: `.github/workflows/ci.yml` - `dependency_audit` job
+- **Severity**: Fails on HIGH severity and above
+- **Tool**: `audit-ci` with yarn
+
+## ReDoS (Regular Expression Denial of Service) Protection
+
+### Background
+
+Tab Modifier allows users to create rules with regular expressions to match URLs. User-controlled regex patterns can potentially be exploited to cause ReDoS attacks, where malicious regex patterns with catastrophic backtracking can freeze the browser tab.
+
+### Implementation
+
+We've implemented multi-layered protection against ReDoS attacks:
+
+#### 1. Pattern Validation (`src/common/regex-safety.ts`)
+
+The `_isRegexPatternSafe()` function validates regex patterns before execution:
+
+- **Nested Quantifiers**: Blocks patterns like `(a+)+`, `(a*)*`, `(a{1,5})+` that cause exponential backtracking
+- **Consecutive Quantifiers**: Blocks patterns like `a**`, `a+*` that are invalid or dangerous
+- **Overlapping Alternatives**: Blocks patterns like `(a|a)*`, `(x+|x+y+)*` that create unnecessary backtracking
+- **Length Limits**: Rejects patterns longer than 1000 characters
+- **Syntax Validation**: Ensures the pattern is a valid regex
+
+#### 2. Safe Execution
+
+The `_safeRegexTestSync()` function:
+1. Validates the pattern before execution
+2. Catches and logs any execution errors
+3. Returns `false` for unsafe patterns instead of executing them
+
+### Usage
+
+Instead of using `new RegExp(pattern).test(url)` directly, always use:
+
+```typescript
+import { _safeRegexTestSync } from './regex-safety.ts';
+
+// Safe regex execution
+const matches = _safeRegexTestSync(userPattern, url);
+```
+
+### Examples of Blocked Patterns
+
+**Dangerous patterns that are blocked:**
+```regex
+(a+)+           # Nested quantifiers
+(a*)*           # Nested quantifiers
+(a|a)*          # Overlapping alternatives
+(x+|x+y+)*      # Overlapping alternatives with quantifiers
+a++             # Consecutive quantifiers
+```
+
+**Safe patterns that are allowed:**
+```regex
+example\.com                           # Simple literal match
+^https://[a-z]+\.example\.com         # Character classes with quantifiers
+[0-9]{1,4}                            # Bounded quantifiers
+(?!MOUNCE).*version=                  # Negative lookahead
+```
+
+### Testing
+
+Comprehensive tests are in `src/common/regex-safety.test.js` covering:
+- Safe pattern validation
+- Dangerous pattern detection and blocking
+- Real-world regex patterns from existing rules
+- Edge cases and error handling
+
+### Best Practices
+
+1. **Prefer simpler detection methods** when possible:
+   - Use `CONTAINS` for substring matching
+   - Use `STARTS_WITH` / `ENDS_WITH` for prefix/suffix matching
+   - Use `EXACT` for exact matching
+   - Use `REGEX` only when pattern matching is truly needed
+
+2. **Write safe regex patterns**:
+   - Avoid nested quantifiers
+   - Use bounded quantifiers (`{1,5}`) instead of unbounded (`*`, `+`)
+   - Keep patterns as simple as possible
+   - Test patterns with the safety validator
+
+3. **Document complex patterns**:
+   - Add comments explaining what the pattern matches
+   - Include test cases for complex patterns
+
+## Missing Regex Anchors in URL/Title Matchers
+
+### Background
+
+The `url_matcher` and `title_matcher` features allow users to extract parts of URLs and page titles using regular expressions with capture groups. When regex patterns don't use anchors (`^` for start, `$` for end), they can match anywhere in the input string, potentially causing unexpected behavior.
+
+### Context: Not a Critical Security Issue
+
+In Tab Modifier, `url_matcher` and `title_matcher` are used to **extract content** for display in tab titles, not for security-critical validation like URL redirection or authentication. Therefore, missing anchors here represent a **usability concern** rather than a security vulnerability.
+
+However, to prevent unexpected matches and follow security best practices, we recommend using anchored patterns.
+
+### Recommendations
+
+#### Use Anchors When Possible
+
+**Unanchored pattern (may match unexpectedly):**
+```regex
+https:\/\/example\.com\/(.+)
+# Could match: "evil.com?redirect=https://example.com/test"
+```
+
+**Anchored pattern (matches precisely):**
+```regex
+^https:\/\/example\.com\/(.+)
+# Only matches URLs starting with https://example.com/
+```
+
+#### Examples of Safe Patterns
+
+**URL Matcher for GitHub repositories:**
+```regex
+^https:\/\/github\.com\/([A-Za-z0-9_-]+)\/([A-Za-z0-9_-]+)
+```
+
+**URL Matcher for query parameters:**
+```regex
+[?&]date=([0-9]{4}-[0-9]{2}-[0-9]{2})
+# Note: This doesn't need ^ anchor as we're matching a specific parameter
+```
+
+**Title Matcher with full anchors:**
+```regex
+^[a-z]*@gmail\.com$
+```
+
+#### When Anchors Are Optional
+
+For patterns that specifically target **substrings** (like query parameters or path segments), anchors may not be needed:
+
+```regex
+# Extracting query parameter - no anchor needed
+[?&]id=([0-9]+)
+
+# Extracting date from URL - no anchor needed
+date=([0-9]{4}-[0-9]{2}-[0-9]{2})
+```
+
+### Implementation
+
+The regex safety checks in `src/content.js` already validate patterns before execution. To enhance this:
+
+1. **Pattern Validation**: The `isRegexSafe()` function checks for dangerous patterns
+2. **Safe Execution**: The `createSafeRegex()` function creates validated regex instances
+3. **Error Handling**: All regex operations are wrapped in try-catch blocks
+
+### Best Practices for URL/Title Matchers
+
+1. **Use anchors (`^`, `$`) when matching complete URLs or titles**
+   ```regex
+   ✅ ^https:\/\/example\.com\/path$
+   ❌ https:\/\/example\.com\/path
+   ```
+
+2. **Be specific with your patterns**
+   ```regex
+   ✅ ^https:\/\/github\.com\/[A-Za-z0-9_-]+\/[A-Za-z0-9_-]+
+   ❌ .+github.com.+
+   ```
+
+3. **Use character classes instead of wildcards when possible**
+   ```regex
+   ✅ [A-Za-z0-9_-]+
+   ❌ .+
+   ```
+
+4. **Test your patterns with the regex safety validator**
+   - Patterns are automatically validated before use
+   - Check browser console for validation warnings
+
+5. **Consider the use case**
+   - For extracting specific parts: anchors may be optional
+   - For matching the entire URL/title: always use anchors
+
+### References
+
+- [OWASP: Regular Expression Denial of Service](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)
+- [Semgrep Rule: detect-non-literal-regexp](https://semgrep.dev/r/javascript.lang.security.audit.detect-non-literal-regexp)
+- [CodeQL: Missing Regular Expression Anchor](https://codeql.github.com/codeql-query-help/javascript/js-regex-missing-anchor/)
+- [OWASP: Server Side Request Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)

package.json

@@ -2,6 +2,7 @@
   "name": "tab-modifier",
   "private": true,
   "version": "1.0.17",
+  "license": "MIT",
   "type": "module",
   "scripts": {
     "test": "vitest --run",
@@ -24,30 +25,29 @@
     "@crxjs/vite-plugin": "^2.0.0-beta.26",
     "@types/chrome": "^0.0.268",
     "@typescript-eslint/eslint-plugin": "^7.18.0",
-    "@typescript-eslint/parser": "^7.4.0",
+    "@typescript-eslint/parser": "^7.18.0",
     "@vitejs/plugin-vue": "^5.1.4",
-    "@vitest/coverage-v8": "^2.0.5",
-    "@vitest/ui": "^2.0.5",
-    "@vue/cli-plugin-eslint": "^5.0.8",
+    "@vitest/coverage-v8": "^2.1.9",
+    "@vitest/ui": "^2.1.9",
     "@vue/eslint-config-typescript": "^13.0.0",
     "autoprefixer": "^10.4.19",
     "daisyui": "^4.12.2",
     "eslint": "^8.57.1",
     "eslint-config-prettier": "^9.1.0",
-    "eslint-config-standard-with-typescript": "^43.0.1",
     "eslint-plugin-import": "^2.25.2",
-    "eslint-plugin-n": "^15.0.0 || ^16.0.0 ",
     "eslint-plugin-prettier": "^5.2.1",
-    "eslint-plugin-promise": "^6.0.0",
     "eslint-plugin-vue": "^9.26.0",
-    "jsdom": "^25.0.1",
+    "jsdom": "^27.0.0",
     "postcss": "^8.4.38",
     "prettier": "^3.3.3",
     "tailwindcss": "^3.4.13",
     "typescript": "*",
     "vite": "^5.4.6",
-    "vitest": "^2.0.5",
+    "vitest": "^2.1.9",
     "vue-eslint-parser": "^9.4.2",
     "vue-tsc": "^2.0.24"
+  },
+  "resolutions": {
+    "cross-spawn": "^7.0.5"
   }
 }