Skip to content

Address code review feedback: memory leak fix, SSL verification, test isolation #397

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Copilot wants to merge 7 commits into from
Closed

Address code review feedback: memory leak fix, SSL verification, test isolation #397

Copilot wants to merge 7 commits into from

Conversation

Copy link

Copilot AI commented Jan 9, 2026
edited
Loading

What are you trying to accomplish?

Addresses code review feedback from PR #396 to improve code quality, security, and test reliability for the AvatarWithFallback component.

Key changes:

  • Memory leak prevention - Added disconnectedCallback() to remove event listeners when component is removed from DOM. Prevents memory leaks in SPAs by storing bound function reference for proper cleanup.

  • SSL certificate verification - Added OpenSSL::SSL::VERIFY_PEER to url_accessible? method to validate SSL certificates during HEAD requests, preventing MITM attacks.

  • Test isolation - Added setup/teardown methods to preserve and restore validate_urls class-level setting between tests, preventing test pollution.

  • Better testing practices - Replaced .any_instance.expects anti-pattern with WebMock assertions (stub_request + assert_not_requested) to decouple tests from implementation details.

  • Documentation grammar - Fixed "When nil, or broken URL it renders" → "When nil or a broken URL, it renders" in YARD docs and static files.

Integration

Risk Assessment

  • Low risk - Targeted fixes to existing functionality: cleanup logic, security hardening, test improvements. No behavioral changes to component API or rendering.

What approach did you choose and why?

TypeScript event listener cleanup follows standard web component lifecycle pattern. SSL verification uses OpenSSL's standard peer verification mode. Test isolation follows Ruby/Minitest best practices with setup/teardown hooks.

Anything you want to highlight for special attention from reviewers?

The disconnectedCallback stores the bound function reference rather than using an arrow function inline, which is necessary for removeEventListener to work correctly.

Accessibility

  • No new axe scan violation - This change does not introduce any new axe scan violations.

Merge checklist

  • Added/updated tests
  • Added/updated documentation
  • Added/updated previews (Lookbook)
  • Tested in Chrome
  • Tested in Firefox
  • Tested in Safari
  • Tested in Edge

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

akabiru and others added 4 commits January 9, 2026 14:11
@akabiru
Add server-side URL validation for absolute URLs to reduce flicker
2cb3c1c 
Broken Gravatar links (absolute URLs) now render fallback SVG immediately
instead of showing a brief broken image before client-side JS swaps it.
@akabiru
Restrict server-side URL validation to allowlisted hosts (SSRF protec…
6e5fab8 
…tion)

Server-side HEAD requests for URL validation could be exploited for SSRF
attacks against internal networks. This change restricts validation to a
trusted allowlist of avatar hosts:

- gravatar.com, www.gravatar.com, secure.gravatar.com
- avatars.githubusercontent.com

Non-allowlisted URLs skip server-side validation entirely and rely on
client-side error handling via the avatar-fallback web component. This
provides defense in depth:

- Allowlisted hosts: Server-side validation (no flicker for broken URLs)
- Other hosts: Client-side fallback (may flicker briefly on 404)
@openprojectci
Generating static files
d515ed4
Initial plan
bbb58c2
@changeset-bot
Copy link

changeset-bot bot commented Jan 9, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: da05cfa

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

Copilot AI mentioned this pull request Jan 9, 2026
Merged
Copilot AI changed the title [WIP] Fix client-side handling of 404 errors in AvatarWithFallback Address code review feedback: memory leak fix, SSL verification, test isolation Jan 9, 2026
Copilot AI requested a review from akabiru January 9, 2026 12:58
@akabiru akabiru force-pushed the bug/69230-invalid-src-fallback branch from d515ed4 to be01160 Compare January 9, 2026 13:35
@akabiru akabiru changed the base branch from bug/69230-invalid-src-fallback to bug/69230-invalid-src-fallback-server-side January 9, 2026 13:44
@akabiru akabiru closed this Jan 12, 2026
@akabiru akabiru deleted the copilot/sub-pr-396 branch January 12, 2026 07:52
@akabiru akabiru removed their request for review January 12, 2026 07:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@akabiru @openprojectci