Security: Multiple vulnerabilities found via Snyk Code Analysis (XSS, Path Traversal, ReDoS, Open Redirect) #7737
Description
Summary
Snyk Code Analysis identified 65 issues across 92 analyzed files in code-server. The High severity findings affect production deployments.
High Severity (7 issues)
Cross-site Scripting (XSS) — CWE-79, Score 807
src/node/routes/errors.tsline 56src/node/routes/login.tslines 68, 119
User-controlled input may be rendered without proper HTML escaping in error and login responses.
Path Traversal — CWE-23, Score 804
src/node/routes/vscode.tslines 149, 219
User-supplied path components may allow reading files outside the intended directory.
Regular Expression Denial of Service (ReDoS) — CWE-400, Score 752
src/node/routes/domainProxy.tsline 46
A regex pattern may cause catastrophic backtracking with crafted input.
Medium Severity (14 issues)
Open Redirect — CWE-601, Score 557
src/node/routes/login.tslines 62, 99src/node/routes/index.tsline 94
Allocation of Resources Without Limits — CWE-770, Score 555
src/node/routes/errors.tsline 37src/node/routes/vscode.tsline 213
Information Exposure via X-Powered-By — CWE-200, Score 554
src/node/app.tsline 70
Sensitive Cookie Without Secure/HttpOnly Flags — CWE-614/CWE-1004, Score 402
src/node/routes/login.tsline 96
Low Severity (44 issues)
Primarily in test files (hardcoded passwords, cleartext HTTP). Not production concerns.
Reproduction
Scanned with Snyk Code Analysis on code-server main branch (commit near v4.112.0).
Suggested Fixes
- XSS: HTML-encode user input before rendering in error/login templates
- Path Traversal: Resolve and validate paths against intended root directory
- ReDoS: Simplify or replace the vulnerable regex pattern
- Open Redirect: Validate redirect URLs against an allowlist
- X-Powered-By: Disable with
app.disable('x-powered-by') - Cookie flags: Add
SecureandHttpOnlyto session cookies
Happy to submit PRs for any of these if the team confirms the approach.