open-notebook

vrr/open-notebook

Fork 0

mirror of https://github.com/lfnovo/open-notebook.git synced 2026-04-30 12:30:01 +00:00

Commit graph

Author	SHA1	Message	Date
Luis Novo	70a466a640	fix: prevent RCE via SSTI, path traversal file write, and LFI file read - Bump ai-prompter to >=0.4.0 which uses Jinja2 SandboxedEnvironment, preventing arbitrary code execution via user-provided transformation prompts - Sanitize uploaded filenames with os.path.basename() and validate resolved path stays within upload directory to prevent path traversal - Validate file_path in source creation is within UPLOADS_FOLDER to prevent arbitrary file read via Local File Inclusion	2026-04-09 11:58:16 -03:00
Luis Novo	bcec7e89ef	refactor: move tests from test_bug_fixes.py to proper test modules - Title preservation tests → test_graphs.py (TestSaveSourceTitlePreservation) - Source asset persistence tests → test_sources_api.py (new file) - Credential cascade delete tests → test_credentials_api.py (new file) - Delete test_bug_fixes.py	2026-04-06 07:45:49 -03:00

Author

SHA1

Message

Date

Luis Novo

70a466a640

fix: prevent RCE via SSTI, path traversal file write, and LFI file read

- Bump ai-prompter to >=0.4.0 which uses Jinja2 SandboxedEnvironment,
  preventing arbitrary code execution via user-provided transformation prompts
- Sanitize uploaded filenames with os.path.basename() and validate resolved
  path stays within upload directory to prevent path traversal
- Validate file_path in source creation is within UPLOADS_FOLDER to prevent
  arbitrary file read via Local File Inclusion

2026-04-09 11:58:16 -03:00

Luis Novo

bcec7e89ef

refactor: move tests from test_bug_fixes.py to proper test modules

- Title preservation tests → test_graphs.py (TestSaveSourceTitlePreservation)
- Source asset persistence tests → test_sources_api.py (new file)
- Credential cascade delete tests → test_credentials_api.py (new file)
- Delete test_bug_fixes.py

2026-04-06 07:45:49 -03:00

2 commits