auto-rebaser

OWASP Review — Auto Rebaser v2.0.0

Date: 2026-05-14 Reviewer: /owasp (Claude Opus 4.7) Scope: Entire src/ tree, manifest.json, .github/workflows/ Mode: Review (no exploitation, read-only)

Threat model summary

Auto Rebaser is a browser-only MV3 extension. Trust boundaries:

  1. GitHub ↔ extension — TLS to api.github.com / configured GHES. Holds an OAuth user-to-server token (GitHub App device flow, with refresh) or a legacy PAT in chrome.storage.local.
  2. Popup ↔ background SWchrome.runtime message channel.
  3. Settings ↔ network — user-provided enterpriseHost becomes a fetch origin and an Authorization-header recipient.
  4. Browser process ↔ diskchrome.storage.local is unencrypted at rest.

No content scripts, no LLM calls, no server-side component, no third-party JS at runtime (React + bundled). No eval, innerHTML, or dangerouslySetInnerHTML found.

Tool pass

Skipped — Semgrep/gitleaks/trivy not installed locally; will be addressed by SEC-8 below.

Findings (severity-ordered)

SEC-1 — Missing sender validation on chrome.runtime.onMessageMedium

SEC-2 — enterpriseHost interpolation lacks defense-in-depth — Medium

SEC-3 — Add basic supply-chain & secret scanning to CI — Medium

SEC-4 — No explicit Content Security Policy in manifest — Low

SEC-5 — Access tokens stored in chrome.storage.local (unencrypted at rest) — Low

SEC-6 — Authorization header sent before any host allowlist re-check — Low

SEC-7 — No automated PR-time security gate — Low

SEC-8 — Document storage-tamper threat in PRIVACY.md / README — Info

Confirmed-clean (no action)

Backlog stories

Added to docs/superpowers/BACKLOG.md §5 — see SEC-1 through SEC-8.