From 8fee7a9c997a100614f7f489a44713b294706882 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Fri, 15 May 2026 11:05:29 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=A7=B9=20Remove=20'any'=20type=20usage=20?=
 =?UTF-8?q?in=20EditorController?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/editorController.ts      |  2 +-
 src/webviewMessageHandler.ts | 11 ++++++-----
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/src/editorController.ts b/src/editorController.ts
index cd3896e..fea0964 100644
--- a/src/editorController.ts
+++ b/src/editorController.ts
@@ -189,7 +189,7 @@ export class DatabaseViewerProvider extends Disposable implements vsc.CustomRead
     const pendingMap = webviewBridge.__pendingInvocations;
     const messageHandler = new WebviewMessageHandler(
       (msg) => webviewPanel.webview.postMessage(msg),
-      document.hostBridge as any,
+      document.hostBridge,
       pendingMap
     );
     webviewPanel.webview.onDidReceiveMessage((message) => messageHandler.handleMessage(message));
diff --git a/src/webviewMessageHandler.ts b/src/webviewMessageHandler.ts
index 6df6e14..bea5ff0 100644
--- a/src/webviewMessageHandler.ts
+++ b/src/webviewMessageHandler.ts
@@ -1,5 +1,6 @@
 import { MessageCorrelationId, PendingInvocation, processProtocolMessage } from './core/rpc';
 import { deserializeArgs, serializeValue } from './core/serialization';
+import type { HostBridge } from './hostBridge';
 
 interface WebviewRpcInvokeMessage {
   channel: 'rpc';
@@ -44,7 +45,7 @@ const BLOCKED_METHODS = new Set(Object.getOwnPropertyNames(Object.prototype));
 export class WebviewMessageHandler {
   constructor(
     private readonly postMessage: (message: any) => PromiseLike<boolean>,
-    private readonly hostBridge: Record<string, any>,
+    private readonly hostBridge: HostBridge,
     private readonly pendingInvocations?: Map<MessageCorrelationId, PendingInvocation>
   ) {}
 
@@ -80,8 +81,8 @@ export class WebviewMessageHandler {
     // SECURITY: Block Object.prototype methods to prevent prototype pollution attacks.
     // Allow class prototype methods (e.g., HostBridge.initialize) but reject inherited
     // Object methods like 'constructor', '__defineGetter__', 'toString'.
-    if (!BLOCKED_METHODS.has(targetMethod) && typeof hostBridge[targetMethod] === 'function') {
-      const fn = hostBridge[targetMethod];
+    if (!BLOCKED_METHODS.has(targetMethod) && targetMethod in hostBridge && typeof (hostBridge as any)[targetMethod] === 'function') {
+      const fn = (hostBridge as any)[targetMethod];
       Promise.resolve(fn.apply(hostBridge, deserializedPayload))
         .then(result => {
           // Serialize result to handle Uint8Array and other typed arrays
@@ -129,8 +130,8 @@ export class WebviewMessageHandler {
   #handleLegacyRpcRequest(message: WebviewLegacyRpcMessage) {
     const hostBridge = this.hostBridge;
     // SECURITY: Same prototype pollution guard as #handleRpcInvoke
-    if (BLOCKED_METHODS.has(message.method)) return;
-    const fn = hostBridge[message.method];
+    if (BLOCKED_METHODS.has(message.method) || !(message.method in hostBridge)) return;
+    const fn = (hostBridge as any)[message.method];
     if (typeof fn === 'function') {
       Promise.resolve(fn.apply(hostBridge, deserializeArgs(message.args || [])))
         .then(result => {