github-mirror/project-nomad
1
0
Fork 0
mirror of https://github.com/Crosstalk-Solutions/project-nomad.git synced 2026-03-28 03:29:25 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
75106a8f61
project-nomad/admin/docs
History
Chris Sherwood 75106a8f61 fix(security): path traversal and SSRF protections from pre-launch audit 
Fixes 4 high-severity findings from a comprehensive security audit:

1. Path traversal on ZIM file delete — resolve()+startsWith() containment
2. Path traversal on Map file delete — same pattern
3. Path traversal on docs read — same pattern (already used in rag_service)
4. SSRF on download endpoints — block private/internal IPs, require TLD

Also adds assertNotPrivateUrl() to content update endpoints.

Full audit report attached as admin/docs/security-audit-v1.md.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-11 14:08:09 -07:00
..
about.md docs: update documentation for recent features and hardware page 2026-03-11 14:08:09 -07:00
faq.md docs: update documentation for recent features and hardware page 2026-03-11 14:08:09 -07:00
getting-started.md docs: update documentation for recent features and hardware page 2026-03-11 14:08:09 -07:00
home.md feat(docs): polish docs rendering with desert-themed components 2026-02-06 14:41:30 -08:00
release-notes.md docs(release): finalize v1.28.0 release notes [skip ci] 2026-03-05 04:08:18 +00:00
security-audit-v1.md fix(security): path traversal and SSRF protections from pre-launch audit 2026-03-11 14:08:09 -07:00
use-cases.md fix(docs): point Wikipedia Selector refs to /settings/zim/remote-explorer 2026-02-06 14:41:30 -08:00