github-mirror/project-nomad
1
0
Fork 0
mirror of https://github.com/Crosstalk-Solutions/project-nomad.git synced 2026-03-28 03:29:25 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
c5d4fdd142
project-nomad/admin/docs
History
Chris Sherwood c5d4fdd142 fix(security): path traversal and SSRF protections from pre-launch audit 
Fixes 4 high-severity findings from a comprehensive security audit:

1. Path traversal on ZIM file delete — resolve()+startsWith() containment
2. Path traversal on Map file delete — same pattern
3. Path traversal on docs read — same pattern (already used in rag_service)
4. SSRF on download endpoints — block private/internal IPs, require TLD

Also adds assertNotPrivateUrl() to content update endpoints.

Full audit report attached as admin/docs/security-audit-v1.md.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-08 21:34:56 -07:00
..
about.md fix(docs): remove double period after LLC on about page 2026-02-06 14:41:30 -08:00
faq.md fix: update default branch name 2026-03-01 16:08:46 -08:00
getting-started.md fix(GPU): detect NVIDIA GPUs via Docker API instead of lspci 2026-02-08 15:18:52 -08:00
home.md feat(docs): polish docs rendering with desert-themed components 2026-02-06 14:41:30 -08:00
release-notes.md docs(release): finalize v1.28.0 release notes [skip ci] 2026-03-05 04:08:18 +00:00
security-audit-v1.md fix(security): path traversal and SSRF protections from pre-launch audit 2026-03-08 21:34:56 -07:00
use-cases.md fix(docs): point Wikipedia Selector refs to /settings/zim/remote-explorer 2026-02-06 14:41:30 -08:00