Issue #2: Unprotected Chat Summary Trigger (CRITICAL) - Add authentication and admin authorization to /trigger endpoint - Add path validation to prevent directory traversal - Block access to system directories (/etc, /root, /sys, /proc, /boot) - Add tests for unauthorized access and invalid paths Issue #3: Exception Information Disclosure (HIGH) - Replace raw exception messages with generic errors - Log full exception details server-side with logger.exception() - Affected files: auth.py, files.py, passkey.py, opc_agents.py - Prevents information leakage about system architecture Security Impact: - Prevents unauthenticated file system writes - Reduces reconnaissance opportunities for attackers - Maintains security while preserving debugging capability Tests: 214 passing, all security tests verified
This commit is contained in:
@@ -283,9 +283,8 @@ async def save_preferences(request: Request, current_user=Depends(auth.get_curre
|
||||
except HTTPException:
|
||||
raise
|
||||
except Exception as e:
|
||||
print(f"Error saving preferences: {e}")
|
||||
traceback.print_exc()
|
||||
raise HTTPException(status_code=500, detail=str(e))
|
||||
logger.exception("Error saving preferences for user %s", current_user.username)
|
||||
raise HTTPException(status_code=500, detail="Failed to save preferences")
|
||||
|
||||
|
||||
@router.delete("/rbac/overrides/{username}")
|
||||
|
||||
Reference in New Issue
Block a user