fix(security): address multiple security vulnerabilities

[leaanthony]

Summary

This PR bundles fixes for several security issues identified by GitHub Advanced Security (CodeQL) and Semgrep code scanning.

Security Fixes

1. Workflow Permissions (CodeQL)

• Add explicit permissions blocks to GitHub Actions workflows
• Restrict GITHUB_TOKEN to minimum required permissions following principle of least privilege
• Affected files: automated-releases.yml, build-and-test-v3.yml, publish-npm.yml, test-simple.yml

2. Path Traversal (CodeQL)

• Fix directory traversal vulnerability in screen example's asset middleware
• User-provided URL paths were concatenated directly without validation
• Added path validation using filepath.Clean and directory containment checks
• Affected file: v3/examples/screen/main.go

3. Command Injection (CodeQL)

• Fix arbitrary command execution in setup wizard's dependency installation endpoint
• User-provided commands were executed directly without validation
• Added whitelist of allowed commands (package managers only)
• Affected file: v3/internal/setupwizard/wizard.go

4. Rollup XSS Vulnerability (Semgrep - CVE-2024-47068)

• Update rollup from 3.28.0 to 3.29.5
• Fixes Cross-site Scripting vulnerability when bundling with import.meta.url
• Affected file: v3/examples/dev/frontend/package-lock.json

Test plan

• Verify GitHub Actions workflows run successfully
• Confirm screen example serves assets correctly and blocks path traversal
• Verify setup wizard dependency installation works for allowed commands
• Confirm dev example frontend builds correctly

🤖 Generated with Claude Code

Summary by CodeRabbit

Release Notes

• Security

  • Restricted GITHUB_TOKEN permissions across all workflows to follow principle of least privilege
  • Updated rollup dependency (v3.29.5) for XSS vulnerability fix

• Bug Fixes

  • Fixed path traversal vulnerability in screen example asset middleware
  • Fixed command injection vulnerability in setup wizard dependency installation

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Warning

Rate limit exceeded

@leaanthony has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 15 minutes and 9 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

Walkthrough

This pull request implements security hardening across the codebase by restricting GITHUB_TOKEN permissions in workflows following the principle of least privilege, fixing a path traversal vulnerability in the screen example's asset serving middleware, and adding command whitelisting to prevent command injection attacks in the setup wizard dependency installation.

Changes

Cohort / File(s)	Summary
Workflow Permission Configuration .github/workflows/automated-releases.yml, .github/workflows/build-and-test-v3.yml, .github/workflows/publish-npm.yml, .github/workflows/test-simple.yml	Added top-level and per-job GITHUB_TOKEN permission restrictions, limiting default access to contents: read and granting contents: write only where required (release jobs). Unused permissions explicitly set to empty.
Security Vulnerability Fixes v3/examples/screen/main.go	Replaced unsafe direct path construction with normalized, traversal-resistant path resolution using filepath.Clean, directory joining, and prefix validation to ensure requested assets remain within designated asset directory.
Command Injection Prevention v3/internal/setupwizard/wizard.go	Introduced whitelist-based command execution model with allowed commands and allowed sudo commands. Added isCommandAllowed validation that inspects the actual executed tool after parsing privilege-escalation wrappers (sudo/pkexec/doas), rejecting non-whitelisted commands prior to execution.
Security Changelog v3/UNRELEASED_CHANGELOG.md	Documented four security fixes: GITHUB_TOKEN permission restrictions, path traversal vulnerability fix, command injection vulnerability fix, and rollup dependency update (CVE-2024-47068).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested labels

v3-alpha, size:L

Poem

🐰 With locks on tokens, paths are clean,
No command sneaks where we've not been,
Each workflow guarded, least privilege reigns,
Security wrapped in our digital veins,
Safer code hops through the night!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely identifies the primary change—addressing multiple security vulnerabilities—which aligns well with the changeset containing workflow permission fixes, path traversal fixes, command injection fixes, and a dependency update for security reasons.
Description check	✅ Passed	The PR description comprehensively covers all four security fixes with clear explanations, affected files, and a test plan. However, it does not fill the required template sections like 'Type of change' checkboxes, 'How Has This Been Tested', test configuration, or the changelog checklist.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cloudflare-workers-and-pages]

Deploying wails with    Cloudflare Pages

Latest commit:	05f0cf2
Status:	✅  Deploy successful!
Preview URL:	https://7e38ced8.wails.pages.dev
Branch Preview URL:	https://fix-security-issues-bundle.wails.pages.dev

View logs

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@v3/internal/setupwizard/wizard.go`:
- Around line 599-613: The current flag-skipping logic in the
privilege-escalation branch (cmd == "sudo" || cmd == "pkexec" || cmd == "doas")
is unsafe; replace the loop that advances actualCmdIndex with strict validation:
require that parts has at least 2 elements and that parts[1] is exactly one of
the allowedSudoCommands (and not a flag), and reject any invocation containing
flags before the command (i.e., do not try to parse flags or accept tokens
starting with '-'); update the check in that branch to simply return
allowedSudoCommands[parts[1]] (ensuring parts[1] is present and not prefixed
with '-') so only the privilege command immediately followed by the package
manager is allowed.

🧹 Nitpick comments (2)

v3/internal/setupwizard/wizard.go (2)

547-585: Consider adding additional package managers for broader compatibility.

The whitelist covers most major package managers but misses a few:

• apk — Alpine Linux package manager (common in Docker containers)
• snap — Ubuntu's snap package manager
• flatpak — cross-distribution application packaging

These omissions would cause false negatives for users on those systems rather than security issues.

Suggested additions

 var allowedCommands = map[string]bool{
 	// Package managers (may be called directly or via sudo)
 	"apt":       true,
 	"apt-get":   true,
+	"apk":       true, // Alpine Linux
 	"dnf":       true,
 	"yum":       true,
 	"pacman":    true,
 	"zypper":    true,
 	"emerge":    true,
 	"eopkg":     true,
 	"nix-env":   true,
 	"brew":      true,
 	"port":      true, // MacPorts
 	"winget":    true,
 	"choco":     true,
 	"scoop":     true,
+	"snap":      true, // Ubuntu snap
+	"flatpak":   true,
 	"sudo":      true, // sudo is allowed as it prefixes package manager commands
 	"pkexec":    true, // polkit alternative to sudo
 	"doas":      true, // OpenBSD sudo alternative
 	"xcode-select": true, // macOS Xcode CLI tools
 }

 // allowedSudoCommands are commands allowed to be run after sudo/pkexec/doas
 var allowedSudoCommands = map[string]bool{
 	"apt":       true,
 	"apt-get":   true,
+	"apk":       true,
 	"dnf":       true,
 	"yum":       true,
 	"pacman":    true,
 	"zypper":    true,
 	"emerge":    true,
 	"eopkg":     true,
 	"nix-env":   true,
 	"brew":      true,
 	"port":      true,
+	"snap":      true,
+	"flatpak":   true,
 	"xcode-select": true,
 }

---

632-633: Note: strings.Fields doesn't handle quoted arguments.

Commands like apt install "package name with spaces" would be incorrectly split. This is a minor usability limitation rather than a security issue since exec.Command doesn't invoke a shell. Package names with spaces are rare in practice.

[sonarqubecloud]

Quality Gate passed

Issues
3 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud