Skip to content

Fix/potential file system race#91

Merged
arneschmid merged 5 commits into
mainfrom
fix/potential-file-system-race
Jun 23, 2026
Merged

Fix/potential file system race#91
arneschmid merged 5 commits into
mainfrom
fix/potential-file-system-race

Conversation

@arneschmid

@arneschmid arneschmid commented Jun 23, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Fixes

  • #

Changes

  • Fixing code scanning findings
    • Several 'Potential file system race condition'
    • Several 'Missing origin verification in message handler'

Screenshots

image

Checklist

  • 🤖 This change is covered by unit tests (if applicable).
  • 🤹 Manual testing has been performed (if necessary).
  • 🛡️ Security impacts have been considered (if relevant).
  • 📖 Documentation updates are complete (if required).
  • 🧠 Third-party dependencies and TPIP updated (if required).

@arneschmid arneschmid requested a review from edriouk June 23, 2026 08:29
@edriouk edriouk removed their request for review June 23, 2026 08:32
@thorstendb-ARM thorstendb-ARM requested a review from Copilot June 23, 2026 09:28
Copilot AI reviewed Jun 23, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses code scanning findings by hardening webview message handling (origin verification) and reducing TOCTOU-style filesystem patterns when creating config/metadata files.

Changes:

  • Added event.origin verification to multiple webview message handlers.
  • Switched config/metadata creation to atomic file creation (fs.writeFileSync(..., { flag: 'wx' })) with EEXIST handling.
  • Reworked workspace config seeding logic in ensureWorkspaceConfigFile (but the current approach likely breaks the “open config outside workspace then openFolder” flow).

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
src/webview/bridge.ts Adds origin verification to the shared webview message bridge handler.
src/viewer/webview/dataViewerApp.tsx Adds origin verification to viewer app message handler.
src/viewer/webview/components/frameWindowViewer.ts Adds origin verification to frame window viewer message handler.
src/viewer/webview/components/audioViewer.tsx Adds origin verification to audio viewer message handler.
src/extension.ts Replaces direct .vscode/settings.json seeding with workspace.getConfiguration().update() (introduces a likely functional regression).
src/commands/sdsioConfigCommands.ts Uses atomic file creation for new config files and handles EEXIST.
src/commands/sdsFileCommands.ts Uses atomic file creation for metadata template and handles EEXIST.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/extension.ts
Comment thread src/extension.ts
thorstendb-ARM
thorstendb-ARM approved these changes Jun 23, 2026
View reviewed changes

@thorstendb-ARM thorstendb-ARM left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, try/catch are added to file access

@arneschmid arneschmid merged commit a8a07ab into main Jun 23, 2026
12 checks passed
@arneschmid arneschmid deleted the fix/potential-file-system-race branch June 23, 2026 12:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments
@thorstendb-ARM thorstendb-ARM thorstendb-ARM approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@arneschmid @thorstendb-ARM