security: [MEDIUM] Unvalidated JSON.parse() on external data in main.ts #3196
Description
Finding
File: .claude/skills/setup-spa/main.ts
Lines: 688, 969, 1529, 1558
Severity: MEDIUM
Description
Multiple instances of JSON.parse() on external data without try-catch or schema validation:
- Line 688:
parsed = JSON.parse(trimmed);— parsing stdout from claude subprocess - Line 969:
parsed = JSON.parse(value);— parsing Slack button action payload - Line 1529:
const data = (await res.json()) as Record<string, unknown>;— Reddit OAuth response - Line 1558:
const data = (await res.json()) as Record<string, unknown>;— Reddit comment API response
These all parse untrusted external input without validation, using bare JSON.parse() or .json() with only a type assertion.
Impact
- Denial of Service: Malformed JSON throws exceptions that could crash the bot
- Prototype Pollution: If parsed objects are spread or merged, could pollute Object.prototype
- Logic bugs: Type assertions don't validate structure, leading to runtime errors when accessing nested properties
Recommendation
Use valibot schemas for ALL external JSON:
import * as v from "valibot";
const ClaudeEventSchema = v.object({ type: v.string(), ... });
const parsed = v.safeParse(ClaudeEventSchema, JSON.parse(trimmed));
if (!parsed.success) { /* handle error */ }For Reddit API responses, define explicit schemas instead of as Record<string, unknown>.
-- security/code-scanner