Skip to content

fix(js): supabase jwt base64url decode and per-project error isolation#342

Open
TBX3D wants to merge 4 commits into
vmfunc:mainfrom
TBX3D:harden-jsdetect-probe
Open

fix(js): supabase jwt base64url decode and per-project error isolation#342
TBX3D wants to merge 4 commits into
vmfunc:mainfrom
TBX3D:harden-jsdetect-probe

Conversation

@TBX3D

@TBX3D TBX3D commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

four independent js-scan fixes: a supabase project's fetch/parse failure
(signup response, openapi spec) used to abort the whole scan, now it's
logged and skipped so other projects on the same page still get scanned;
a quoted regex-flag literal like "/gi" was reported as an endpoint; the
progress spinner kept running past an early script-parse error; and a
flaky wall-clock ReDoS-timing probe test is dropped (timing-based tests
are inherently unstable in CI).

TBX3D added 3 commits July 9, 2026 12:56
htmlquery.Parse and QueryAll failures returned before spin.Stop(), leaving
the "Scanning JavaScript files" spinner running forever on those paths while
every other error branch in the function stops it first.
Quoted regex flag combos like "/gi" or "/su" in ordinary JS (e.g.
str.replace("/gi", x)) matched the root-relative path alternative in
endpointRegex and were reported as endpoints. Denylist the known flag
bigrams by exact match instead of raising minEndpointLen, so real short
endpoints like /v1, /me, /ws still extract normally.
…error

ScanSupabase iterates every JWT found in a script and can discover several
distinct supabase projects. Four error paths inside that loop (reading the
signup response, parsing it, fetching the openapi spec, and a missing
Paths field) returned nil and the whole error, discarding any results
already collected for earlier, successfully scanned projects. Skip the
broken project with continue instead so the scan still returns what it
found.
@TBX3D
TBX3D requested a review from vmfunc as a code owner July 9, 2026 21:17
@github-actions github-actions Bot added size/l <500 lines changed scan changes to scan engine modules changes to scan modules tests test changes labels Jul 9, 2026
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

pr summary

6 files changed (+278 -6)

category files
go source 6
tests 3

@codecov-commenter

codecov-commenter commented Jul 9, 2026

Copy link
Copy Markdown

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

❌ Patch coverage is 38.46154% with 8 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (main@7ea1cd2). Learn more about missing BASE report.

Files with missing lines Patch % Lines
internal/scan/js/supabase.go 33.33% 6 Missing ⚠️
internal/scan/js/scan.go 0.00% 2 Missing ⚠️
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.
Additional details and impacted files
@@           Coverage Diff           @@
##             main     #342   +/-   ##
=======================================
  Coverage        ?   55.95%           
=======================================
  Files           ?       81           
  Lines           ?     6881           
  Branches        ?        0           
=======================================
  Hits            ?     3850           
  Misses          ?     2744           
  Partials        ?      287           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@TBX3D
TBX3D force-pushed the harden-jsdetect-probe branch from 76af728 to e48519f Compare July 9, 2026 21:52
go's regexp is re2 and linear by construction; the timing threshold added
only flake under -race load, not coverage. the regex-flag-literal false
positive it sat next to is guarded by TestRegexFlagEndpointsNotReported.
@TBX3D
TBX3D force-pushed the harden-jsdetect-probe branch from e48519f to 6a29010 Compare July 9, 2026 23:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

modules changes to scan modules scan changes to scan engine size/l <500 lines changed tests test changes

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants