fix: Deep audit security, bug, and performance fixes across TreeWalker core#83
Open
InboraStudio wants to merge 1 commit into
Open
fix: Deep audit security, bug, and performance fixes across TreeWalker core#83InboraStudio wants to merge 1 commit into
InboraStudio wants to merge 1 commit into
Conversation
…ker core Comprehensive code audit of the Forge TreeWalker framework identifying and remediating critical issues across 7 source files: Security: - Add explicit TypeNameHandling.None to JSON deserialization to prevent type-injection attacks via modified DefaultSettings (TreeWalkerSession.cs) Bug Fixes: - Replace dead Guid/CancellationToken null-checks with Guid.Empty validation; struct == null is always false in C# (ActionContext, TreeNodeContext, TreeWalkerParameters) - Dispose CancellationTokenSource in ExecuteAction via using block to prevent OS handle leaks under high-throughput retry scenarios (TreeWalkerSession.cs) - Implement MissingResolver.Equals/GetHashCode properly; previous NotImplementedException would crash at runtime if resolver was used in collections (ExpressionExecutor.cs) Performance: - Cache BaseAction.RunAction MethodInfo as static readonly to eliminate per-execution reflection overhead (TreeWalkerSession.cs) - Replace double serialize-parse (SerializeObject + JObject.Parse) with direct JObject.FromObject in schema validator (ForgeSchemaValidator.cs) Code Quality: - Remove unused System.Threading.Tasks import (ActionDefinition.cs) - Fix comment typos: timout -> timeout, Attmpt -> Attempt (TreeWalkerSession.cs) Build verified: 0 warnings, 0 errors on both netstandard2.0 and net462.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Added explicit TypeNameHandling.None in JSON deserialization to prevent type-injection attacks from modified DefaultSettings (TreeWalkerSession.cs)
Replaced invalid Guid/CancellationToken == null checks with Guid.Empty validation since structs can’t be null (ActionContext, TreeNodeContext, TreeWalkerParameters)
Fixed CancellationTokenSource leak in ExecuteAction using proper using disposal for high-throughput retry cases (TreeWalkerSession.cs)
Implemented MissingResolver.Equals() and GetHashCode() correctly to prevent runtime crashes when used in collections (ExpressionExecutor.cs)
Cached BaseAction.RunAction MethodInfo as static readonly to remove repeated reflection overhead (TreeWalkerSession.cs)
Replaced double serialize + parse (SerializeObject + JObject.Parse) with direct JObject.FromObject in schema validator (ForgeSchemaValidator.cs)
Removed unused System.Threading.Tasks import (ActionDefinition.cs)
Fixed comment typos (timout → timeout, Attmpt → Attempt)
Clean build with 0 warnings and 0 errors on both netstandard2.0 and net462.