Skip to content

feat: Phoenix builder agentic pieces for phoenix to build itself#2675

Merged
abose merged 4 commits intomainfrom
z
Feb 16, 2026
Merged

feat: Phoenix builder agentic pieces for phoenix to build itself#2675
abose merged 4 commits intomainfrom
z

Conversation

@abose
Copy link
Member

@abose abose commented Feb 16, 2026

No description provided.

github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 16, 2026
View reviewed changes
src/phoenix/shell.js
reject(new Error(event.data.error || "Screenshot capture failed"));
}
}
window.addEventListener("message", onMessage);

Check failure

Code scanning / SonarCloud

Origins should be verified during cross-origin communications High

Verify the origin of the received message. See more on SonarQube Cloud
src/phoenix/shell.js
window.removeEventListener("message", onMessage);
reject(new Error("Screenshot capture timed out after 30 seconds"));
}, TIMEOUT_MS);
window.postMessage({ type: "phoenix_screenshot_request", id }, "*");

Check failure

Code scanning / SonarCloud

Origins should be verified during cross-origin communications High

Specify a target origin for this message. See more on SonarQube Cloud
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 16, 2026
View reviewed changes
src/phoenix-builder/phoenix-builder-boot.js

// Dispatch to registered handler, or built-in defaults
if (msg.type && handlers[msg.type]) {
handlers[msg.type](msg);

Check failure

Code scanning / CodeQL

Unvalidated dynamic method call High

Invocation of method with
user-controlled
Loading
name may dispatch to unexpected target and cause an exception.

Copilot Autofix

AI 1 day ago

In general, to fix unvalidated dynamic method calls, we should ensure that the property name derived from untrusted data is validated against a known set of allowed values, or at least check that the looked-up property is an own property and that its value is a function before invoking it. This prevents unexpected prototype methods or non-functions from being called and avoids runtime exceptions from malformed inputs.

Here, the best targeted fix is to guard the call to handlers[msg.type](msg) with checks that (1) msg.type is a string, (2) handlers actually has that key as an own property (not via the prototype chain), and (3) the resulting value is a function. If any of these checks fail, we simply ignore the message (or could add optional logging) without throwing. This preserves existing behavior for valid messages, while safely handling malicious or malformed ones.

Concretely, in src/phoenix-builder/phoenix-builder-boot.js, in the ws.onmessage handler around lines 251–264, replace the current dispatch block:

// Dispatch to registered handler, or built-in defaults
if (msg.type && handlers[msg.type]) {
    handlers[msg.type](msg);
} else if (msg.type === "ping") {
    _sendMessage({ type: "pong" });
}

with a safer version that uses Object.prototype.hasOwnProperty.call and a function-type check:

// Dispatch to registered handler, or built-in defaults
if (typeof msg.type === "string" &&
    Object.prototype.hasOwnProperty.call(handlers, msg.type) &&
    typeof handlers[msg.type] === "function") {
    handlers[msg.type](msg);
} else if (msg.type === "ping") {
    _sendMessage({ type: "pong" });
}

This change stays within the shown snippet, adds no new imports, and does not alter visible functionality for correct inputs.

Suggested changeset 1
src/phoenix-builder/phoenix-builder-boot.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/phoenix-builder/phoenix-builder-boot.js b/src/phoenix-builder/phoenix-builder-boot.js
--- a/src/phoenix-builder/phoenix-builder-boot.js
+++ b/src/phoenix-builder/phoenix-builder-boot.js
@@ -257,7 +257,9 @@
             }
 
             // Dispatch to registered handler, or built-in defaults
-            if (msg.type && handlers[msg.type]) {
+            if (typeof msg.type === "string" &&
+                Object.prototype.hasOwnProperty.call(handlers, msg.type) &&
+                typeof handlers[msg.type] === "function") {
                 handlers[msg.type](msg);
             } else if (msg.type === "ping") {
                 _sendMessage({ type: "pong" });
EOF
@@ -257,7 +257,9 @@
}

// Dispatch to registered handler, or built-in defaults
if (msg.type && handlers[msg.type]) {
if (typeof msg.type === "string" &&
Object.prototype.hasOwnProperty.call(handlers, msg.type) &&
typeof handlers[msg.type] === "function") {
handlers[msg.type](msg);
} else if (msg.type === "ping") {
_sendMessage({ type: "pong" });
Copilot is powered by AI and may make mistakes. Always verify output.
@sonarqubecloud
Copy link

sonarqubecloud bot commented Feb 16, 2026

Quality Gate Failed Quality Gate failed

Failed conditions
D Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

@abose abose merged commit 7a458d7 into main Feb 16, 2026
16 of 22 checks passed
@abose abose deleted the z branch February 16, 2026 12:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@abose