agent-zero

2188 commits 4 branches 73 tags 470 MiB

Author	SHA1	Message	Date
Alessandro	1f2d512226	fix(api): resolve image_get containment bypass (#1609 ) Fixes agent0ai/agent-zero#1609. Issue: "Unauthenticated Path-Containment Bypass in Agent Zero `/api/image_get`" https://github.com/agent0ai/agent-zero/issues/1609 Resolve the path-containment bypass in /api/image_get by resolving requested images against the Agent Zero base directory before serving them, including symlink-aware validation and the development RFC fallback path. Harden SVG and SVGZ responses with nosniff and a sandboxed CSP so uploaded SVGs cannot execute scripts in the Agent Zero origin. Add focused regressions for outside paths, symlink escapes, SVG headers, and development-mode remote validation.	2026-05-12 04:15:10 +02:00
keyboardstaff	1160195fb5	fix(api): image_get 500 error for non-ASCII filename uploads - Fixes 500 error when uploading images with non-ASCII filenames via /api/image_get - Improves file path handling to support both development and Docker environments - Adds exception handling to gracefully fall back to Docker path logic if path correction fails - Ensures robust error handling so path issues do not crash the entire endpoint	2026-03-26 01:19:17 -07:00
frdel	d02dda3667	BIG PYTHON REFACTOR Python scripts moved out of python/ folder to root to be unified with plugins + frontend extension around api calls	2026-03-05 17:28:11 +01:00

Author

SHA1

Message

Date

Alessandro

1f2d512226

fix(api): resolve image_get containment bypass (#1609 )

Fixes agent0ai/agent-zero#1609.

Issue: "Unauthenticated Path-Containment Bypass in Agent Zero `/api/image_get`"
https://github.com/agent0ai/agent-zero/issues/1609

Resolve the path-containment bypass in /api/image_get by resolving requested images against the Agent Zero base directory before serving them, including symlink-aware validation and the development RFC fallback path.

Harden SVG and SVGZ responses with nosniff and a sandboxed CSP so uploaded SVGs cannot execute scripts in the Agent Zero origin. Add focused regressions for outside paths, symlink escapes, SVG headers, and development-mode remote validation.

2026-05-12 04:15:10 +02:00

keyboardstaff

1160195fb5

fix(api): image_get 500 error for non-ASCII filename uploads

- Fixes 500 error when uploading images with non-ASCII filenames via /api/image_get
- Improves file path handling to support both development and Docker environments
- Adds exception handling to gracefully fall back to Docker path logic if path correction fails
- Ensures robust error handling so path issues do not crash the entire endpoint

2026-03-26 01:19:17 -07:00

frdel

d02dda3667

BIG PYTHON REFACTOR

Python scripts moved out of python/ folder to root to be unified with plugins

+ frontend extension around api calls

2026-03-05 17:28:11 +01:00

Renamed from python/api/image_get.py (Browse further)

3 commits