|
|
a8af857cd3
|
security: fix vulnerabilities and harden code (2026-03-12)
continuous-integration/drone/push Build is passing
continuous-integration/drone/pr Build is failing
Path traversal fixes:
- DeleteFile.js: use path.resolve() + symlink protection (CRITICAL)
- DeleteFileFolder.js: add path.resolve() validation + symlink check (CRITICAL)
- RenameFile.js: use path.resolve() with proper prefix check + symlink guard (HIGH)
- attachments.js: add baseDir validation + skip symlinks in recursive search (MEDIUM)
XSS fixes:
- dashboard.js: escape user input in onerror/onclick inline attributes (HIGH)
- paramadminsettingsetup.script.js: escape values in innerHTML template (MEDIUM)
Input validation:
- inputValidationMiddleware.js: block suspicious requests instead of logging only (MEDIUM)
Version bump: 1.2.2-beta → 1.2.3-beta
|
2026-03-12 20:18:28 +01:00 |
|
