Conversation
…lidation for rule names to prevent path traversal attacks.
Default Rules
Chart Wizard Export
mito-ai: remove sonnet
Chart Wizard Input Ranges
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| await downloadImage(found.dataUrl, format); | ||
| } | ||
| } else { | ||
| await downloadImage(found.dataUrl, format); |
There was a problem hiding this comment.
Unhandled errors in chart export fallback path
Low Severity
The downloadImage call on line 38 (inside the catch block) and line 41 (in the else branch) can throw errors that aren't caught. If JPEG conversion fails via dataUrlToJpegBlob (e.g., canvas context unavailable, toBlob fails, or image loading error), the error propagates uncaught instead of being converted to { success: false, error: ... }. The caller handleExportChart in ChartWizardWidget.tsx expects a result object and won't show the error notification when the function throws, leaving users without feedback when export fails.
| await setRule(slugifiedName, formData.description, formData.isDefault); | ||
| if (editingRuleName && editingRuleName !== slugifiedName) { | ||
| await deleteRule(editingRuleName); | ||
| } |
There was a problem hiding this comment.
Rule rename can silently overwrite existing rules causing data loss
Medium Severity
When renaming a rule, the code calls setRule with the slugified name without checking if a rule with that name already exists. Because slugifyRuleName normalizes names (lowercasing, converting spaces to hyphens), different user inputs can collide. For example, if rules "rule-a" and "rule-b" exist and user edits "rule-a" changing its name to "Rule B" (slugifies to "rule-b"), the existing "rule-b" is silently overwritten, then deleteRule("rule-a") removes the old rule. Both rules' original content is lost.
2 participants
Description