Skip to content

Security review and updates#13

Merged
mbijon merged 5 commits intomainfrom
security-review
Dec 4, 2025
Merged

Security review and updates#13
mbijon merged 5 commits intomainfrom
security-review

Conversation

@mbijon
Copy link
Owner

@mbijon mbijon commented Dec 4, 2025
edited by cursor bot
Loading

Note

Harden security and stability with CSP/security headers, input sanitization and tests, centralized logger with retry-backed Supabase calls, plus minor docs and dependency updates.

  • Security:
    • Add strict headers in vercel.json (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy).
    • Sanitize leaderboard display name in src/components/LeaderboardModal.tsx (allow only alphanumeric, _, space, -) and trim on submit; comprehensive tests in test/LeaderboardModal.test.tsx.
  • Reliability & Logging:
    • Introduce environment-aware logger src/utils/logger.ts; replace console.error with logger in src/hooks/useLeaderboard.ts and src/services/leaderboard.ts.
    • Add exponential backoff fetchWithRetry and integrate into Supabase calls via callSupabaseFunction; fewer retries for start-session; export debounce utility.
  • Docs:
    • README: add Sentry migration plan and logging notes.
  • Dependencies:
    • Bump react/react-dom to ^18.3.0, vite to ^7.2.6, @playwright/test to ^1.55.1.

Written by Cursor Bugbot for commit dc05d65. This will update automatically on new commits. Configure here.

@vercel
Copy link

vercel bot commented Dec 4, 2025

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
heatseeker Ready Ready Preview Comment Dec 4, 2025 6:15am

@mbijon mbijon merged commit 2763b67 into main Dec 4, 2025
3 of 4 checks passed
cursor[bot]
cursor bot reviewed Dec 4, 2025
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR is being reviewed by Cursor Bugbot

Details

You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

src/components/LeaderboardModal.tsx
const handleSubmit = async (event: FormEvent<HTMLFormElement>) => {
event.preventDefault();
await onSubmit({ name, isHuman });
// Trim whitespace from sanitized name before submitting
Copy link

@cursor cursor bot Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Default name bypasses input sanitization on submit

The sanitizeName function is only applied during onChange events. When defaultName is passed to the component (e.g., from an existing leaderboard entry), it's set directly via useState(defaultName) and setName(defaultName) in the useEffect without sanitization. If a user reopens the modal and clicks "Save" without modifying the input, any unsanitized characters in defaultName will be submitted directly. The sanitization needs to be applied to defaultName when initializing state and in the handleSubmit function.

Additional Locations (1)

Fix in Cursor Fix in Web

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mbijon