fix(volume-browser): address security review findings

Critical fixes: - IDOR: verify volume belongs to project before resolving path - Upload: override global 1MB body limit for upload endpoint (100MB) High-priority fixes: - Symlink escape: use filepath.EvalSymlinks in safePath validation - Remove host filesystem path from browse API response - Sanitize Content-Disposition filenames, force application/octet-stream - Strip directory components from upload filenames
2026-04-01 23:17:35 +03:00
parent aacdd255a9
commit 0491849f0f
4 changed files with 40 additions and 13 deletions
@@ -196,7 +196,6 @@ export interface FileEntry {
 /** Response from the volume browse endpoint. */
 export interface BrowseResult {
 	path: string;
-	root: string;
 	entries: FileEntry[];
 }