issues Search Results · language:Dune language:JavaScript language:Java language:Python language:JavaScript
Filter by
55.5M results
Where: `index.js` cool-off `setTimeout` (~L309-314, ~L677-682). Problem: Timers live only in process memory; a restart
mid-hold leaves the button disabled forever. Fix: On startup, scan active `cooloff_holds` ...
audit
P1-high
Where: `src/layer2.js` and `src/deescalation.js` (~L85) — user content interpolated raw. Problem: Crafted messages can
attempt to steer the verdict or break the de-escalation JSON parser (scam text injection). ...
audit
P1-high
security
Where: `src/database.js` / `admin.js` (both load and rewrite the whole DB image). Problem: Running `admin.js` while the
bot is live lets the last writer clobber the other s changes silently. Fix: Add a ...
audit
P1-high
Where: `src/web/server.js` checkout/portal (~L1606-1640) and webhook (~L1645-1680). Problem: Checkout error echoes which
env var is missing; subscription-deleted path matches by `customer` only. Webhook ...
audit
P1-high
security
Where: `src/web/server.js` error handler (~L1690-1693). Problem: Renders `err.message`/`err.oauthError` into the 500
page, leaking internals to users. Fix: Generic message in production; full detail to ...
audit
P1-high
security
Where: all routes in `src/web/server.js`; notably `POST /dashboard/:guildId/admin-feedback-summary` (~L897). Problem: No
throttling. The feedback-summary route triggers a paid DeepSeek call per request; ...
audit
P1-high
security
Where: `src/layer2.js` image-analysis error path. Problem: On error it returns `{flagged:false, confidence:0}`, so for
image-only messages a vision API error silently clears the message. (Text Layer 2 ...
audit
P1-high
security
Where: `index.js` image download (~L162-173). Problem: `fetch`→`arrayBuffer` with no size cap/timeout, all images per
message fetched via `Promise.all` → memory spike / OOM risk from large or many images. ...
audit
P1-high
security
Where: `src/web/server.js` modal client JS (~L1110-1132, ~L1359-1380). Problem: `channel_name`,
`author_tag`/`author_name`, and `image_urls` are injected via `innerHTML` unescaped. A crafted server nickname/URL ...
audit
P1-high
security
Where: `src/database.js` `persist()` (~L38-40). Problem: `fs.writeFileSync` writes the full DB directly over `DB_PATH`;
a crash mid-write can corrupt the only copy. It is also synchronous and blocks the ...
audit
P0-critical

Learn how you can use GitHub Issues to plan and track your work.
Save views for sprints, backlogs, teams, or releases. Rank, sort, and filter issues to suit the occasion. The possibilities are endless.Learn more about GitHub IssuesProTip! Restrict your search to the title by using the in:title qualifier.