github-mirror/project-nomad
1
0
Fork 0
mirror of https://github.com/Crosstalk-Solutions/project-nomad.git synced 2026-03-28 19:49:25 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
329 Commits 15 Branches 55 Tags 16 MiB
a77edcaac3
Commit Graph

9 Commits

Author SHA1 Message Date
Chris Sherwood
75106a8f61 fix(security): path traversal and SSRF protections from pre-launch audit 
Fixes 4 high-severity findings from a comprehensive security audit:

1. Path traversal on ZIM file delete — resolve()+startsWith() containment
2. Path traversal on Map file delete — same pattern
3. Path traversal on docs read — same pattern (already used in rag_service)
4. SSRF on download endpoints — block private/internal IPs, require TLD

Also adds assertNotPrivateUrl() to content update endpoints.

Full audit report attached as admin/docs/security-audit-v1.md.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-11 14:08:09 -07:00
Jake Turner
fa8300b5df fix(Maps): ensure asset urls resolve correctly 2026-02-03 23:34:32 -08:00
Jake Turner
c8de767052 feat(Maps): automatically download base assets if missing 2026-01-27 20:49:56 -08:00
Jake Turner
b6ac6b1e84 feat(Maps): enhance missing assets warnings 2026-01-15 15:54:59 -08:00
Jake Turner
6ac9d147cf feat(Collections): map region collections 2025-12-23 16:00:33 -08:00
Jake Turner
7569aa935d
feat: background job overhaul with bullmq 2025-12-06 23:59:01 -08:00
Jake Turner
dd4e7c2c4f feat: curated zim collections 2025-12-05 15:47:22 -08:00
Jake Turner
606dd3ad0b
feat: [wip] custom map and zim downloads 2025-12-02 08:25:09 -08:00
Jake Turner
12a6f2230d
feat: [wip] new maps system 2025-11-30 22:29:16 -08:00