Security hardening: allowlist config keys, pin CI SHAs, clarify README, v2.5.4

ccups101 · ccups101 · commit 1dfa98d4a54f · 2026-04-14T15:02:24.000-04:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -14,10 +14,10 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
         with:
           node-version: 20
 
diff --git a/README.md b/README.md
@@ -66,7 +66,7 @@ Output goes to `dist/`.
 - Rate limiting with exponential backoff on failed password attempts (persisted across restarts)
 - Password strength enforcement: 10+ chars, 3/4 character classes, dictionary check against 160+ common passwords
 
-### Content Security Policy
+### Content Security Policy (Renderer)
 
 ```
 default-src 'none';
@@ -77,7 +77,9 @@ img-src 'self' data:;
 connect-src 'none';
 ```
 
-All scripts and fonts loaded from local `lib/` directory. Zero CDN dependencies at runtime. `connect-src 'none'` blocks any outbound fetch/XHR even if code is injected.
+All scripts and fonts loaded from local `lib/` directory. Zero CDN dependencies at runtime. `connect-src 'none'` blocks any outbound fetch/XHR from the renderer process, even if code is injected.
+
+**Note:** The auto-updater runs in the main process (not governed by the renderer's CSP) and makes a single HTTPS request to GitHub Releases on launch to check for new versions. This can be disabled in File → Settings.
 
 ### Additional Hardening
 
@@ -88,6 +90,8 @@ All scripts and fonts loaded from local `lib/` directory. Zero CDN dependencies
 - DOMPurify sanitizes all note content on load and paste
 - Export dialogs warn about unencrypted output
 - Print dialogs warn for password-protected notebooks
+- Config keys allowlisted — renderer can only write known settings
+- CI actions pinned to commit SHAs to prevent supply-chain attacks
 
 ## Development
 
diff --git a/main.js b/main.js
@@ -571,7 +571,7 @@ function createWindow() {
     ]},
     { label: "Help", submenu: [
       { label: "About NoteForge", click: () => dialog.showMessageBox(mainWindow, {
-        type: "info", title: "About NoteForge", message: "NoteForge v2.5.3",
+        type: "info", title: "About NoteForge", message: "NoteForge v2.5.4",
         detail: "Encrypted offline note-taking.\nAES-256-GCM · scrypt (N=65536)\nDerived key session · Auto-lock\n\nData: " + userDataPath,
       })},
     ]},
@@ -605,6 +605,8 @@ function saveConfig(cfg) {
 
 ipcMain.handle("get-config", async () => loadConfig());
 ipcMain.handle("set-config", async (_e, key, value) => {
+  const ALLOWED = new Set(["autoUpdate"]);
+  if (!ALLOWED.has(key)) return { error: "Unknown config key" };
   const cfg = loadConfig();
   cfg[key] = value;
   saveConfig(cfg);
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "noteforge",
-  "version": "2.5.3",
+  "version": "2.5.4",
   "description": "Encrypted offline note-taking — a OneNote alternative that keeps your data local and protected.",
   "main": "main.js",
   "author": {

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "noteforge",`
`3`		`- "version": "2.5.3",`
	`3`	`+ "version": "2.5.4",`
`4`	`4`	`"description": "Encrypted offline note-taking — a OneNote alternative that keeps your data local and protected.",`
`5`	`5`	`"main": "main.js",`
`6`	`6`	`"author": {`