This document outlines the security measures implemented in WhizCode to protect against common vulnerabilities.
Issue: IPC handlers could read/write files outside the workspace boundary.
Solution:
- Added
validatePathInWorkspace()function that ensures all file operations stay within the workspace - All file operation handlers (
fs:readFile,fs:writeFile,fs:rename,fs:delete) now validate paths - Rejects paths containing
.., null bytes, or starting with~
Implementation:
validatePathInWorkspace(filePath, workspacePath);Issue: Git commands used string interpolation, allowing command injection.
Solution:
- Replaced
execAsync()withexecFile()for git operations - Uses argument arrays instead of shell strings
- Prevents shell metacharacter interpretation
Before:
await execAsync(`git commit -m "${message.replace(/"/g, '\\"')}"`, { cwd: path });After:
await execFileAsync('git', ['commit', '-m', validMessage], { cwd: validPath });Issue: No validation on user inputs from IPC handlers.
Solution:
- Added
validateStringInput()for general string validation with length limits - Added
validateFilePath()for file path validation - All IPC handlers now validate inputs before use
Limits:
- File paths: 500 characters max
- General strings: 10,000 characters max
- File content: 50MB max
- Git messages: 1,000 characters max
Issue: Azure tokens stored in plaintext.
Solution:
- Implemented AES-256-CBC encryption for sensitive data
- Tokens encrypted before storage, decrypted on load
- Uses
crypto.scryptSync()for key derivation
Implementation:
// Save
await fs.writeFile(AZURE_TOKEN_FILE, JSON.stringify({
token: encryptData(token),
expires
}), 'utf-8');
// Load
const token = decryptData(parsed.token);Environment Variable:
Set WHIZCODE_ENCRYPTION_KEY for custom encryption key (defaults to 'default-key-change-in-production').
Provides the following functions:
validatePathInWorkspace(filePath, workspacePath)- Prevents path traversalsanitizeShellInput(input)- Escapes shell metacharactersencryptData(data, key?)- Encrypts sensitive datadecryptData(encryptedData, key?)- Decrypts sensitive datavalidateStringInput(input, maxLength?)- Validates string inputvalidateFilePath(input)- Validates file paths
All IPC handlers now include:
- Input validation
- Path validation (where applicable)
- Error logging with security context
- Length limits on inputs
fs:readFile- Validates path and workspace boundaryfs:writeFile- Validates path, content, and workspace boundaryfs:rename- Validates both paths and workspace boundaryfs:delete- Validates path and workspace boundarygit:status- Validates workspace pathgit:stage- Validates paths using execFilegit:commit- Validates message and path using execFile
- Always validate user input before using it
- Use
execFile()instead ofexec()for external commands - Use path validation for file operations
- Encrypt sensitive data before storage
- Log security-related errors with
[SECURITY]prefix
- Set
WHIZCODE_ENCRYPTION_KEYenvironment variable for production - Keep WhizCode updated for security patches
- Only open trusted workspaces
- Review file operations in logs
To test the security measures:
# Test path traversal prevention
# Should fail: attempting to read outside workspace
ipcRenderer.invoke('fs:readFile', '../../sensitive.txt', '/workspace');
# Test command injection prevention
# Should fail: git message with shell metacharacters
ipcRenderer.invoke('git:commit', {
path: '/workspace',
message: 'test"; rm -rf /'
});
# Test input validation
# Should fail: exceeds length limit
ipcRenderer.invoke('fs:writeFile', '/file.txt', 'x'.repeat(60000000));- Add rate limiting to IPC handlers
- Implement request signing for critical operations
- Add audit logging for sensitive operations
- Implement code signing for releases
- Add security headers to renderer process
If you discover a security vulnerability, please email security@whizcode.dev with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if available)
Do not publicly disclose security issues until they have been addressed.