github-mirror/project-nomad
1
0
Fork 0
mirror of https://github.com/Crosstalk-Solutions/project-nomad.git synced 2026-03-28 11:39:26 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
c5d4fdd142
project-nomad/admin/app
History
Chris Sherwood c5d4fdd142 fix(security): path traversal and SSRF protections from pre-launch audit 
Fixes 4 high-severity findings from a comprehensive security audit:

1. Path traversal on ZIM file delete — resolve()+startsWith() containment
2. Path traversal on Map file delete — same pattern
3. Path traversal on docs read — same pattern (already used in rag_service)
4. SSRF on download endpoints — block private/internal IPs, require TLD

Also adds assertNotPrivateUrl() to content update endpoints.

Full audit report attached as admin/docs/security-audit-v1.md.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-08 21:34:56 -07:00
..
controllers fix(security): path traversal and SSRF protections from pre-launch audit 2026-03-08 21:34:56 -07:00
exceptions fix(Docs): documentation renderer fixes 2025-12-23 16:00:33 -08:00
jobs feat(RAG): display embedding queue and improve progress tracking 2026-03-04 20:05:14 -08:00
middleware feat: background job overhaul with bullmq 2025-12-06 23:59:01 -08:00
models feat(AI Assistant): custom name option for AI Assistant 2026-03-04 20:05:14 -08:00
services fix(security): path traversal and SSRF protections from pre-launch audit 2026-03-08 21:34:56 -07:00
utils feat: zim content embedding 2026-02-08 13:20:10 -08:00
validators fix(security): path traversal and SSRF protections from pre-launch audit 2026-03-08 21:34:56 -07:00