Skip to content

feat: support Chrome multi-profile cookie import#65

Open
Qike-Li wants to merge 2 commits intogarrytan:mainfrom
Qike-Li:feat/chrome-multi-profile-cookies
Open

feat: support Chrome multi-profile cookie import#65
Qike-Li wants to merge 2 commits intogarrytan:mainfrom
Qike-Li:feat/chrome-multi-profile-cookies

Conversation

@Qike-Li
Copy link

@Qike-Li Qike-Li commented Mar 15, 2026

Summary

  • cookie-import-browser previously only read from Chrome's Default profile, making it impossible to import cookies when the user's session lives in a different profile (e.g. Profile 3)
  • Adds listProfiles() to discover all Chrome profiles by scanning for directories with a Cookies DB, and reads human-friendly display names from each profile's Preferences file
  • Adds profile selector pills in the cookie picker UI (only shown when multiple profiles exist), a GET /cookie-picker/profiles API endpoint, and --profile CLI flag for direct imports

Test plan

  • Existing tests pass (bun test — 18 + 12 tests, 0 failures)
  • Build succeeds (bun build --compile)
  • Smoke tested: cookie picker correctly shows all Chrome profiles with display names
  • Verified switching profiles loads different domain lists
  • Profile pills hidden when browser has only one profile
  • Manual test: import cookies from a non-Default profile and verify authenticated page loads

🤖 Generated with Claude Code

Max Li and others added 2 commits March 15, 2026 00:01
@claude
feat: support Chrome multi-profile cookie import
f425460 
Previously cookie-import-browser only read from Chrome's Default profile,
making it impossible to import cookies from other profiles (e.g. Profile 3).
This was a common issue for users with multiple Chrome profiles.

Changes:
- Add listProfiles() to discover all Chrome profiles with cookie DBs
- Read profile display names from Chrome's Preferences files
- Add profile selector pills in the cookie picker UI
- Pass profile parameter through domains/import API endpoints
- Add --profile flag to CLI direct import mode

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@claude
feat: add Import All button to cookie picker
70884d4 
Adds an "Import All (N)" button in the source panel footer that imports
all visible unimported domains in a single batch request. Respects the
search filter so users can narrow down domains first. Button hides when
all domains are already imported.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@argusdev-bot
Copy link

argusdev-bot commented Mar 15, 2026

Argus Code Review Report

Repository: gstack
Branch/Ref: feat/chrome-multi-profile-cookies
Score: 75/100
Date: 2026-03-15 19:15 UTC
Scope: diff

Summary

Reviewed 4 files. Found 4 issues. 1 observations. 1 high. Score: 75/100.

Findings (4)

[HIGH] Path traversal validation bypass via absolute path check

  • Category: security
  • Location: browse/src/write-commands.ts:240-249

Path validation logic treats absolute and relative paths differently, allowing relative paths without '..' sequences to bypass validation when current working directory is unexpected.

Justification: The validation logic checks absolute paths against safe directories but only checks relative paths for '..' sequences. A relative path like 'etc/passwd' when cwd is '/' would pass validation but read /etc/passwd.

Suggestion: Use path.resolve() on all inputs and validate the resolved path against allowed directories. Remove separate '..' check since path.resolve() normalizes such sequences.

[MEDIUM] Path traversal vulnerability in findInstalledBrowsers() via symlink attack

  • Category: security
  • Location: browse/src/cookie-import-browser.ts:111-127

The function enumerates directories and checks for 'Profile X' names without validating symlinks, allowing an attacker to create malicious symlinks that cause the function to read from arbitrary filesystem locations.

Justification: Lines 120-124 use fs.readdirSync() with directory entries and check e.name.startsWith('Profile ') without verifying entries are not symlinks. An attacker could create a symlink named 'Profile malicious' pointing to sensitive locations.

Suggestion: Add symlink detection using fs.lstatSync() or fs.realpathSync() before checking directory contents. Validate resolved paths stay within the expected Application Support directory tree.

[MEDIUM] Missing input validation for browser profile parameter

  • Category: security
  • Location: browse/src/cookie-picker-routes.ts:93-101

The /cookie-picker/profiles endpoint accepts a browser query parameter without validation, passing it directly to listProfiles() which performs filesystem operations.

Justification: Line 95 extracts browserName from URL query parameters without sanitization. Line 99 passes this untrusted input directly to listProfiles() which performs filesystem operations.

Suggestion: Validate the browserName parameter against a whitelist of known browser names before passing to listProfiles().

[MEDIUM] Unvalidated profile parameter in cookie import endpoint

  • Category: security
  • Location: browse/src/cookie-picker-routes.ts:117-134

The /cookie-picker/import endpoint accepts a profile parameter from the request body without validation, passing it to importCookies() which uses it in filesystem paths.

Justification: Line 126 extracts profile from untrusted JSON body. Line 133 passes it to importCookies() with default value 'Default'. The function uses this profile name to construct file paths.

Suggestion: Validate the profile parameter to ensure it contains only safe characters and doesn't contain path traversal sequences before passing to importCookies().

Observations (1)

  • JSON parsing of untrusted Preferences file without size or depth limits
    • Location: browse/src/cookie-import-browser.ts
    • The listProfiles() function reads and parses JSON from browser Preferences files without validation of file size or JSON structure depth.

Generated by Argus — AI-Powered Code Review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Qike-Li @argusdev-bot