Skip to content

feat: improve extension installer + updater #278

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
shadowfax92 merged 3 commits into from
Jan 1, 2026
Merged

feat: improve extension installer + updater #278

shadowfax92 merged 3 commits into from
Jan 1, 2026

Conversation

@shadowfax92
Copy link
Contributor

@shadowfax92 shadowfax92 commented Jan 1, 2026

  • feat: new extension installer + bundle support
  • feat: support bundle extension download in cli
  • chore: update release yaml to include new bundle_extensions module

@shadowfax92 shadowfax92 merged commit f81120f into main Jan 1, 2026
2 of 3 checks passed
@github-actions github-actions bot locked and limited conversation to collaborators Jan 1, 2026
greptile-apps[bot]
greptile-apps bot reviewed Jan 1, 2026
View reviewed changes
Copy link

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

15 files reviewed, 3 comments

Edit Code Review Agent Settings | Greptile

packages/browseros/chromium_patches/chrome/browser/extensions/external_provider_impl.cc
Comment on lines +44 to +45
+ ManifestLocation::kExternalPref, // CRX location (bundled)
+ ManifestLocation::kExternalPrefDownload, // Download location (remote)
Copy link

@greptile-apps greptile-apps bot Jan 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

logic: Using both kExternalPref and kExternalPrefDownload as constructor arguments appears incorrect for ExternalProviderImpl. The constructor typically takes creation_flags and install_flags, not two ManifestLocation values. Are you sure the ExternalProviderImpl constructor accepts two ManifestLocation parameters in this order?

Prompt To Fix With AI 
This is a comment left during a code review.
Path: packages/browseros/chromium_patches/chrome/browser/extensions/external_provider_impl.cc
Line: 44:45

Comment:
**logic:** Using both kExternalPref and kExternalPrefDownload as constructor arguments appears incorrect for ExternalProviderImpl. The constructor typically takes creation_flags and install_flags, not two ManifestLocation values. Are you sure the ExternalProviderImpl constructor accepts two ManifestLocation parameters in this order?

How can I resolve this? If you propose a fix, please make it concise.

...seros/chromium_patches/chrome/browser/browseros/extensions/browseros_extension_maintainer.cc
Comment on lines +133 to +135
+ for (const auto [id, _] : last_config_) {
+ extension_ids_.insert(id);
+ }
Copy link

@greptile-apps greptile-apps bot Jan 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

logic: Extension IDs from remote config are added without validation - potential security risk

Prompt To Fix With AI 
This is a comment left during a code review.
Path: packages/browseros/chromium_patches/chrome/browser/browseros/extensions/browseros_extension_maintainer.cc
Line: 133:135

Comment:
**logic:** Extension IDs from remote config are added without validation - potential security risk

How can I resolve this? If you propose a fix, please make it concise.

...wseros/chromium_patches/chrome/browser/browseros/extensions/browseros_extension_installer.cc
Comment on lines +144 to +145
+ base::FilePath crx_path =
+ bundled_path.Append(base::FilePath::FromUTF8Unsafe(*crx_file));
Copy link

@greptile-apps greptile-apps bot Jan 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

logic: Using FromUTF8Unsafe with external input could allow directory traversal attacks. Consider validating that crx_file contains only a filename without path separators.

Prompt To Fix With AI 
This is a comment left during a code review.
Path: packages/browseros/chromium_patches/chrome/browser/browseros/extensions/browseros_extension_installer.cc
Line: 144:145

Comment:
**logic:** Using `FromUTF8Unsafe` with external input could allow directory traversal attacks. Consider validating that `crx_file` contains only a filename without path separators.

How can I resolve this? If you propose a fix, please make it concise.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@shadowfax92