fix(browser): validate inputs and redact remote URLs

2026-06-08 00:52:55 +00:00 · 2026-05-24 01:17:58 +01:00
parent 9410eb30cf
commit bee15d4fa2
4 changed files with 104 additions and 6 deletions
--- a/extensions/browser/src/cli/browser-cli-actions-input/register.element.ts
+++ b/extensions/browser/src/cli/browser-cli-actions-input/register.element.ts
@@ -13,6 +13,16 @@ export function registerBrowserElementCommands(
  browser: Command,
  parentOpts: (cmd: Command) => BrowserParentOpts,
 ) {
+  const parseRequiredNumber = (value: string, label: string): number | undefined => {
+    const parsed = Number(value);
+    if (!Number.isFinite(parsed)) {
+      defaultRuntime.error(danger(`Invalid ${label}: must be a finite number`));
+      defaultRuntime.exit(1);
+      return undefined;
+    }
+    return parsed;
+  };
+
  const runElementAction = async (params: {
    cmd: Command;
    body: Record<string, unknown>;
@@ -85,8 +95,11 @@ export function registerBrowserElementCommands(
    .option("--button <left|right|middle>", "Mouse button to use")
    .option("--delay-ms <ms>", "Delay between mouse down/up", (v: string) => Number(v))
    .action(async (xRaw: string, yRaw: string, opts, cmd) => {
-      const x = Number(xRaw);
-      const y = Number(yRaw);
+      const x = parseRequiredNumber(xRaw, "x");
+      const y = parseRequiredNumber(yRaw, "y");
+      if (x === undefined || y === undefined) {
+        return;
+      }
      await runElementAction({
        cmd,
        body: {
--- a/extensions/browser/src/cli/browser-cli-actions-input/register.navigation.ts
+++ b/extensions/browser/src/cli/browser-cli-actions-input/register.navigation.ts
@@ -9,6 +9,16 @@ export function registerBrowserNavigationCommands(
  browser: Command,
  parentOpts: (cmd: Command) => BrowserParentOpts,
 ) {
+  const parseRequiredNumber = (value: unknown, label: string): number | undefined => {
+    const parsed = Number(value);
+    if (!Number.isFinite(parsed)) {
+      defaultRuntime.error(danger(`Invalid ${label}: must be a finite number`));
+      defaultRuntime.exit(1);
+      return undefined;
+    }
+    return parsed;
+  };
+
  browser
    .command("navigate")
    .description("Navigate the current tab to a URL")
@@ -48,16 +58,21 @@ export function registerBrowserNavigationCommands(
    .argument("<height>", "Viewport height", (v: string) => Number(v))
    .option("--target-id <id>", "CDP target id (or unique prefix)")
    .action(async (width: number, height: number, opts, cmd) => {
+      const normalizedWidth = parseRequiredNumber(width, "width");
+      const normalizedHeight = parseRequiredNumber(height, "height");
+      if (normalizedWidth === undefined || normalizedHeight === undefined) {
+        return;
+      }
      const { parent, profile } = resolveBrowserActionContext(cmd, parentOpts);
      try {
        await runBrowserResizeWithOutput({
          parent,
          profile,
-          width,
-          height,
+          width: normalizedWidth,
+          height: normalizedHeight,
          targetId: opts.targetId,
          timeoutMs: 20000,
-          successMessage: `resized to ${width}x${height}`,
+          successMessage: `resized to ${normalizedWidth}x${normalizedHeight}`,
        });
      } catch (err) {
        defaultRuntime.error(danger(String(err)));