agent-zero

1976 commits 4 branches 72 tags 470 MiB

Author	SHA1	Message	Date
Alessandro	0e3e8a159a	fix(api): block path traversal in download_work_dir_file (CVE-2026-4307) Reject download requests whose resolved path escapes the runtime base directory before file metadata lookup or streaming. This keeps valid in-base absolute paths working in both Docker and development setups while preventing arbitrary file reads via /download_work_dir_file (CVE-2026-4307). Reported by Edward-x (@YLChen-007). Thanks again. Refs: - https://nvd.nist.gov/vuln/detail/CVE-2026-4307 - https://gist.github.com/YLChen-007/1819c843ad26aaaaecdc768a789df022 - https://vuldb.com/vuln/351337/cti	2026-04-12 02:31:24 +02:00
frdel	d02dda3667	BIG PYTHON REFACTOR Python scripts moved out of python/ folder to root to be unified with plugins + frontend extension around api calls	2026-03-05 17:28:11 +01:00

Author

SHA1

Message

Date

Alessandro

0e3e8a159a

fix(api): block path traversal in download_work_dir_file (CVE-2026-4307)

Reject download requests whose resolved path escapes the runtime base
directory before file metadata lookup or streaming.

This keeps valid in-base absolute paths working in both Docker and
development setups while preventing arbitrary file reads via
/download_work_dir_file (CVE-2026-4307).

Reported by Edward-x (@YLChen-007). Thanks again.
Refs:
- https://nvd.nist.gov/vuln/detail/CVE-2026-4307
- https://gist.github.com/YLChen-007/1819c843ad26aaaaecdc768a789df022
- https://vuldb.com/vuln/351337/cti

2026-04-12 02:31:24 +02:00

frdel

d02dda3667

BIG PYTHON REFACTOR

Python scripts moved out of python/ folder to root to be unified with plugins

+ frontend extension around api calls

2026-03-05 17:28:11 +01:00

Renamed from python/api/download_work_dir_file.py (Browse further)

2 commits