fix: Add deleteSession safety guard and extend file tracking for session#232
Open
skargaklop wants to merge 1 commit into
Open
fix: Add deleteSession safety guard and extend file tracking for session#232skargaklop wants to merge 1 commit into
skargaklop wants to merge 1 commit into
Conversation
rescan The deleteSession function now validates sessionId to prevent accidental directory destruction from empty or traversal values like '.' and '..'. Also tracks individual .jsonl files in project dirs and additional agent databases (Cursor, Opencode, Kilo, Kiro, Qwen) for more accurate rescan detection.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request: Critical Bug Fixes for Session Caching and Safety Guards in
deleteSession()1. Overview
RIP my claude code sessions DB...
This pull request addresses two severe issues discovered in the
codbashsession manager:/api/session/or undefined values resolving to""), a session deletion request recursively deleted the entire project directory along with all other sessions inside it, rather than just the targeted session.2. Source of the Problem & Investigation
Bug A: Directory Deletion in
deleteSession()codbash/src/server.js, the/api/session/:idDELETE endpoint splits the pathname to extract thesessionId:/api/session/),.pop()returns an empty string ("").sessionIdwas passed todeleteSession(sessionId, project)incodbash/src/data.js, resolving the companion directory path as:sessionIdwas"",path.joinresolved this directly toPROJECTS_DIR/projectKey(the entire project directory!).fs.existsSync(sessionDir) && fs.statSync(sessionDir).isDirectory()evaluated totrue, leading to:Bug B: Caching / Refresh Failure on Windows & Other Databases
loadSessions()bypasses re-scans if_sessionsNeedRescan()returnsfalse. However,_sessionsNeedRescan()checked for directory-level modification times (mtimes) underPROJECTS_DIR. On Windows (and most other OS filesystems), appending or writing to an existing file inside a directory does not update its parent directory'smtime. Thus, continued sessions were completely missed.state.vscdb, OpenCode'sopencode.db, Kilo'skilo.db, Kiro'sdata.sqlite3, and Qwen sessions), leaving the cache stalled forever even if these databases were modified.3. The Fixes Applied
Fix A: Safety Guard in
deleteSession()(src/data.js)We introduced a strict validation guard at the top of
deleteSessionto prevent operations on empty, blank, or traversal-sensitive session IDs:Fix B: Fine-Grained File-Level Change & DB Tracking (
src/data.js)_sessionsNeedRescan()and_updateScanMarkers()to track individual.jsonlsession files inside each project folder, checking bothmtimeMsandsizeto immediately invalidate the cache when an existing session is appended to.CURSOR_GLOBAL_DB(state.vscdb) andCURSOR_PROJECTSdirectory.OPENCODE_DBandEXTRA_OPENCODE_DBS.KILO_DBandEXTRA_KILO_DBS.KIRO_DBandEXTRA_KIRO_DBS.listQwenSessionFiles().4. Verification & Testing
We created a new regression-testing suite under
codbash/test/delete-safety.test.jsto assert the behavior of both fixes.Test Coverage:
deleteSessionthrows a validation error for"",null,undefined," ",., and..to prevent directory traversal or parent folder deletions.Running the test suite verified all assertions pass successfully: