github-mirror/project-nomad
1
0
Fork 0
mirror of https://github.com/Crosstalk-Solutions/project-nomad.git synced 2026-03-28 03:29:25 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
db1fe84553
project-nomad/admin/app/validators
History
Chris Sherwood db1fe84553 fix(security): path traversal and SSRF protections from pre-launch audit 
Fixes 4 high-severity findings from a comprehensive security audit:

1. Path traversal on ZIM file delete — resolve()+startsWith() containment
2. Path traversal on Map file delete — same pattern
3. Path traversal on docs read — same pattern (already used in rag_service)
4. SSRF on download endpoints — block private/internal IPs, require TLD

Also adds assertNotPrivateUrl() to content update endpoints.

Full audit report attached as admin/docs/security-audit-v1.md.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-08 22:01:54 -07:00
..
benchmark.ts feat: Add system benchmark feature with NOMAD Score 2026-01-22 21:48:12 -08:00
chat.ts feat: [wip] native AI chat interface 2026-01-31 20:39:49 -08:00
common.ts fix(security): path traversal and SSRF protections from pre-launch audit 2026-03-08 22:01:54 -07:00
curated_collections.ts feat: curated content system overhaul 2026-02-11 15:44:46 -08:00
download.ts feat(Open WebUI): manage models via Command Center 2026-01-19 22:15:52 -08:00
ollama.ts fix(AI): allow force refresh of models list 2026-03-05 22:31:24 +00:00
rag.ts feat(RAG): allow deletion of files from KB 2026-03-04 20:05:14 -08:00
settings.ts feat(AI Assistant): custom name option for AI Assistant 2026-03-04 20:05:14 -08:00
system.ts feat: support for updating services 2026-03-09 04:55:43 +00:00
zim.ts feat: [wip] custom map and zim downloads 2025-12-02 08:25:09 -08:00