Security context

What an agent needs to avoid regressing past fixes and find the next vuln in this repo.

joganubaid/omniexporter-ai-fixed-v2
master @ 7c7eb4d
12
Fixes
0
CVEs
HIGH
Peak severity
Highlights
Auth Bypass: 2 prior fixes. Scrutinize any change in this area.
auth/notion-oauth.js: most-fixed (3 issues). Treat as high-risk during review.
3 high-severity fixes in this history; regressions here are high-impact.
Recurring patterns

The bug types that recur here, drawn from past fixes, not open vulnerabilities.

Auth Bypass: Incomplete state matching allowed invalid or null OAuth state validations to pass. Remediation required implementing robust checks against null or missing state variables to prevent authorization hijacking.
Credential Exposure: Exposing the Notion client secret directly within the client-side extension exposed it to theft. Mitigated by routing token operations via a Cloudflare Worker backend intermediate.
Cross-Origin Resource Sharing (CORS): A wildcard Access-Control-Allow-Origin header permitted any external site to read sensitive OAuth responses, requiring a transition to a strict allowlist of extension IDs.