github-mirror/project-nomad
1
0
Fork 0
mirror of https://github.com/Crosstalk-Solutions/project-nomad.git synced 2026-03-28 11:39:26 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
db1fe84553
project-nomad/admin/app
History
Chris Sherwood db1fe84553 fix(security): path traversal and SSRF protections from pre-launch audit 
Fixes 4 high-severity findings from a comprehensive security audit:

1. Path traversal on ZIM file delete — resolve()+startsWith() containment
2. Path traversal on Map file delete — same pattern
3. Path traversal on docs read — same pattern (already used in rag_service)
4. SSRF on download endpoints — block private/internal IPs, require TLD

Also adds assertNotPrivateUrl() to content update endpoints.

Full audit report attached as admin/docs/security-audit-v1.md.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-08 22:01:54 -07:00
..
controllers fix(security): path traversal and SSRF protections from pre-launch audit 2026-03-08 22:01:54 -07:00
exceptions fix(Docs): documentation renderer fixes 2025-12-23 16:00:33 -08:00
jobs feat: support for updating services 2026-03-09 04:55:43 +00:00
middleware feat: background job overhaul with bullmq 2025-12-06 23:59:01 -08:00
models feat: support for updating services 2026-03-09 04:55:43 +00:00
services fix(security): path traversal and SSRF protections from pre-launch audit 2026-03-08 22:01:54 -07:00
utils feat: support for updating services 2026-03-09 04:55:43 +00:00
validators fix(security): path traversal and SSRF protections from pre-launch audit 2026-03-08 22:01:54 -07:00