tiny-forge/internal/api at 0491849f0fde22ff01f6336af280df2bc87f902b - tiny-forge - Gitea

alexei.dolgolyov/tiny-forge

Files

T

History

alexei.dolgolyov 0491849f0f fix(volume-browser): address security review findings

Critical fixes:
- IDOR: verify volume belongs to project before resolving path
- Upload: override global 1MB body limit for upload endpoint (100MB)

High-priority fixes:
- Symlink escape: use filepath.EvalSymlinks in safePath validation
- Remove host filesystem path from browse API response
- Sanitize Content-Disposition filenames, force application/octet-stream
- Strip directory components from upload filenames

2026-04-01 23:17:35 +03:00

..

auth.go

fix: comprehensive security, performance, and quality hardening

2026-03-29 12:49:24 +03:00

config_export.go

feat(docker-watcher): phase 12 - hardening

2026-03-27 23:20:56 +03:00

deploys.go

fix: comprehensive security, performance, and quality hardening

2026-03-29 12:49:24 +03:00

eventlog.go

feat(observability): phase 1 - schema, models & event log backend

2026-03-30 10:59:13 +03:00

health.go

feat: Docker diagnostic hints on disconnection

2026-03-30 14:05:00 +03:00

instances.go

feat(observability): phase 2 - stale container detection

2026-03-30 11:12:25 +03:00

middleware.go

fix: comprehensive security, performance, and quality hardening

2026-03-29 12:49:24 +03:00

projects.go

fix: nil slices return [] not null in all API responses

2026-03-28 14:33:36 +03:00

proxy.go

fix(observability): address final review findings

2026-03-30 11:47:16 +03:00

registries.go

feat: support multiple owners per registry (comma-separated)

2026-03-28 14:15:42 +03:00

response.go

fix: comprehensive security, performance, and quality hardening

2026-03-29 12:49:24 +03:00

router.go

feat(volume-browser): phase 1 - path resolver & file system API

2026-04-01 22:59:02 +03:00

settings.go

feat(observability): phase 1 - schema, models & event log backend

2026-03-30 10:59:13 +03:00

sse.go

feat(observability): phase 1 - schema, models & event log backend

2026-03-30 10:59:13 +03:00

stage_env.go

feat(docker-watcher): phase 13 - volumes & environment

2026-03-27 23:28:59 +03:00

stages.go

feat(docker-watcher): phase 8 - REST API layer

2026-03-27 22:06:57 +03:00

stale.go

fix(observability): address final review findings

2026-03-30 11:47:16 +03:00

static.go

fix: serve SvelteKit _app assets correctly

2026-03-28 13:34:02 +03:00

stats.go

fix(observability): address final review findings

2026-03-30 11:47:16 +03:00

volume_browser.go

fix(volume-browser): address security review findings

2026-04-01 23:17:35 +03:00

volumes.go

fix: address volume scopes review findings

2026-03-31 23:31:27 +03:00