project-nomad

github-mirror/project-nomad

Fork 0

mirror of https://github.com/Crosstalk-Solutions/project-nomad.git synced 2026-03-28 11:39:26 +01:00

Commit Graph

Author	SHA1	Message	Date
Chris Sherwood	75106a8f61	fix(security): path traversal and SSRF protections from pre-launch audit Fixes 4 high-severity findings from a comprehensive security audit: 1. Path traversal on ZIM file delete — resolve()+startsWith() containment 2. Path traversal on Map file delete — same pattern 3. Path traversal on docs read — same pattern (already used in rag_service) 4. SSRF on download endpoints — block private/internal IPs, require TLD Also adds assertNotPrivateUrl() to content update endpoints. Full audit report attached as admin/docs/security-audit-v1.md. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-11 14:08:09 -07:00
Jake Turner	d55ff7b466	feat: curated content update checking	2026-02-11 21:49:46 -08:00
Jake Turner	32d206cfd7	feat: curated content system overhaul	2026-02-11 15:44:46 -08:00

Author

SHA1

Message

Date

Chris Sherwood

75106a8f61

fix(security): path traversal and SSRF protections from pre-launch audit

Fixes 4 high-severity findings from a comprehensive security audit:

1. Path traversal on ZIM file delete — resolve()+startsWith() containment
2. Path traversal on Map file delete — same pattern
3. Path traversal on docs read — same pattern (already used in rag_service)
4. SSRF on download endpoints — block private/internal IPs, require TLD

Also adds assertNotPrivateUrl() to content update endpoints.

Full audit report attached as admin/docs/security-audit-v1.md.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-11 14:08:09 -07:00

Jake Turner

d55ff7b466

feat: curated content update checking

2026-02-11 21:49:46 -08:00

Jake Turner

32d206cfd7

feat: curated content system overhaul

2026-02-11 15:44:46 -08:00

3 Commits