mirror of
https://github.com/Crosstalk-Solutions/project-nomad.git
synced 2026-03-29 21:19:25 +02:00
bc06965ec3
The benchmark submission HMAC signing secret was hardcoded in source code (CWE-798), allowing anyone reading the open-source repository to extract it and forge benchmark submissions to benchmark.projectnomad.us. - Read BENCHMARK_HMAC_SECRET from env instead of embedding it in code - Register the variable in the AdonisJS env schema (optional) - Add a guard in submitToRepository() that rejects submissions when the secret is not configured - Document the new variable in .env.example The benchmark server operator must now inject the real secret via the BENCHMARK_HMAC_SECRET environment variable (e.g. in docker-compose or a .env file). The previously committed secret should be rotated server-side. |
||
|---|---|---|
| .. | ||
| benchmark_service.ts | ||
| chat_service.ts | ||
| collection_manifest_service.ts | ||
| collection_update_service.ts | ||
| container_registry_service.ts | ||
| docker_service.ts | ||
| docs_service.ts | ||
| download_service.ts | ||
| map_service.ts | ||
| ollama_service.ts | ||
| queue_service.ts | ||
| rag_service.ts | ||
| system_service.ts | ||
| system_update_service.ts | ||
| zim_extraction_service.ts | ||
| zim_service.ts | ||