Issue #2: Unprotected Chat Summary Trigger (CRITICAL) - Add authentication and admin authorization to /trigger endpoint - Add path validation to prevent directory traversal - Block access to system directories (/etc, /root, /sys, /proc, /boot) - Add tests for unauthorized access and invalid paths Issue #3: Exception Information Disclosure (HIGH) - Replace raw exception messages with generic errors - Log full exception details server-side with logger.exception() - Affected files: auth.py, files.py, passkey.py, opc_agents.py - Prevents information leakage about system architecture Security Impact: - Prevents unauthenticated file system writes - Reduces reconnaissance opportunities for attackers - Maintains security while preserving debugging capability Tests: 214 passing, all security tests verified
This commit is contained in:
@@ -2,6 +2,8 @@
|
||||
OPC Agents Router
|
||||
"""
|
||||
|
||||
import logging
|
||||
|
||||
from fastapi import APIRouter, Depends, HTTPException, Request
|
||||
from pydantic import BaseModel
|
||||
|
||||
@@ -9,6 +11,7 @@ from db import opc_db
|
||||
from rbac import User, require_admin
|
||||
|
||||
router = APIRouter()
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
||||
class AgentUpdate(BaseModel):
|
||||
@@ -65,7 +68,8 @@ async def update_agent(
|
||||
)
|
||||
return agent
|
||||
except ValueError as e:
|
||||
raise HTTPException(status_code=404, detail=str(e))
|
||||
logger.exception("Failed to update agent %s", agent_id)
|
||||
raise HTTPException(status_code=404, detail="Agent not found")
|
||||
|
||||
|
||||
@router.post("/agents/{agent_id}/execute")
|
||||
@@ -121,4 +125,5 @@ async def approve_execution(
|
||||
)
|
||||
return execution
|
||||
except ValueError as e:
|
||||
raise HTTPException(status_code=404, detail=str(e))
|
||||
logger.exception("Failed to approve agent execution %s", execution_id)
|
||||
raise HTTPException(status_code=404, detail="Execution not found")
|
||||
|
||||
Reference in New Issue
Block a user