Fix security audit false positives in CI

DeusData · DeusData · commit 93d332d1e049 · 2026-03-20T18:47:55.000+01:00
- UI audit (L6): allowlist bundled framework URLs in dist/ (React error
  URLs, W3C namespace URIs, Three.js credits, Google Fonts, Tailwind).
  These are embedded by npm deps during Vite build, not our code.
- Binary strings (L2): skip URLs shorter than 15 chars — Windows binary
  has byte sequences that strings(1) interprets as "https://H9" etc.
- Allow Google Fonts &lt;link&gt; in HTML (loaded by index.html for Inter/
  JetBrains Mono fonts).
diff --git a/scripts/security-strings.sh b/scripts/security-strings.sh
@@ -53,6 +53,10 @@ ALLOWED_URLS=(
 )
 
 while IFS= read -r url; do
+    # Skip short false positives from binary data (e.g. "https://H9")
+    if [[ ${#url} -lt 15 ]]; then
+        continue
+    fi
     allowed=false
     for prefix in "${ALLOWED_URLS[@]}"; do
         if [[ "$url" == "$prefix"* ]]; then
diff --git a/scripts/security-ui.sh b/scripts/security-ui.sh
@@ -41,11 +41,23 @@ else
         if find "$UI_DIR" -type f \( -name '*.js' -o -name '*.ts' -o -name '*.tsx' -o -name '*.css' \) -exec grep -lE 'https?://' {} \; 2>/dev/null | head -20 > "$SEC_TMPDIR/urls"; then
             while IFS= read -r file; do
                 relfile="${file#"$ROOT/"}"
-                # Check each URL — only localhost/127.0.0.1 allowed
                 grep -onE 'https?://[^\s"'"'"')]+' "$file" 2>/dev/null | while IFS=: read -r lineno url; do
                     case "$url" in
                         http://localhost*|http://127.0.0.1*|https://localhost*|https://127.0.0.1*)
-                            ;; # OK
+                            ;; # OK — local dev/runtime
+                        # Bundled framework URLs (embedded by npm deps in dist/ builds):
+                        http://www.w3.org/*|https://www.w3.org/*)
+                            ;; # W3C XML/SVG/MathML namespace URIs
+                        https://react.dev/*|https://reactjs.org/*)
+                            ;; # React error/docs URLs
+                        https://github.com/*|https://cdn.jsdelivr.net/*)
+                            ;; # OSS library credits + CDN refs in bundled code
+                        https://fonts.googleapis.com/*|https://fonts.gstatic.com/*)
+                            ;; # Google Fonts (loaded by index.html)
+                        https://tailwindcss.com/*|https://tailwindc*)
+                            ;; # Tailwind CSS source annotations
+                        https://jcgt.org/*|https://doc*)
+                            ;; # Academic/documentation refs in Three.js shaders
                         *)
                             echo "  BLOCKED: ${relfile}:${lineno}: External URL: $url"
                             touch "$SEC_TMPDIR/fail_flag"
@@ -61,7 +73,9 @@ else
         if find "$UI_DIR" -type f -name '*.html' -exec grep -lE '<script\s+src=|<link\s+href=' {} \; 2>/dev/null > "$SEC_TMPDIR/scripts"; then
             while IFS= read -r file; do
                 relfile="${file#"$ROOT/"}"
-                if grep -nE '<script\s+src="https?://|<link\s+href="https?://' "$file" 2>/dev/null | grep -v 'localhost' | grep -v '127.0.0.1'; then
+                if grep -nE '<script\s+src="https?://|<link\s+href="https?://' "$file" 2>/dev/null \
+                    | grep -v 'localhost' | grep -v '127.0.0.1' \
+                    | grep -v 'fonts.googleapis.com' | grep -v 'fonts.gstatic.com'; then
                     echo "  BLOCKED: ${relfile}: External script/link load detected"
                     FAIL=1
                 fi
