5 Commits

Author	SHA1	Message	Date
dinawo	a8af857cd3	security: fix vulnerabilities and harden code (2026-03-12) ... Path traversal fixes: - DeleteFile.js: use path.resolve() + symlink protection (CRITICAL) - DeleteFileFolder.js: add path.resolve() validation + symlink check (CRITICAL) - RenameFile.js: use path.resolve() with proper prefix check + symlink guard (HIGH) - attachments.js: add baseDir validation + skip symlinks in recursive search (MEDIUM) XSS fixes: - dashboard.js: escape user input in onerror/onclick inline attributes (HIGH) - paramadminsettingsetup.script.js: escape values in innerHTML template (MEDIUM) Input validation: - inputValidationMiddleware.js: block suspicious requests instead of logging only (MEDIUM) Version bump: 1.2.2-beta → 1.2.3-beta	2026-03-12 20:18:28 +01:00
dinawo	76dc23c861	security: fix vulnerabilities and update security hardening (2026-03-12) ... Code security fixes: - Fixed 3 critical auth bypass bugs (user.jso, typo → user.json) in RenameFile, NewFolder, DeleteFolder API routes - Added URL validation (HTTP/HTTPS only) on ProfilPicture and BackgroundCustom endpoints to prevent stored XSS/CSS injection - Added path traversal protection in Upload.js (resolved path boundary check) - Removed unsafe-eval from CSP script-src directive - Removed information disclosure in BuildMetaData error responses - Removed unused child_process import in BuildMetaData.js Version bump: 1.2.1-beta → 1.2.2-beta	2026-03-12 17:16:16 +01:00
Dinawo	aaff0ed4ea	Urgent correction of version v1.0.0-beta.14 due to crash issues when acting on the CDN. ... We would like to apologize for the inconvenience caused and we would like to thank you for the quick report.	2024-07-12 18:07:19 +02:00
Dinawo	ce8f1bbbac	Update v1.0.0-beta.13 ... Several modifications made to the API and several bug fixes	2024-06-02 18:13:28 +02:00
Dinawo	4e2e085a63	Update routes and file paths, fix authentication and security issues	2024-04-13 22:17:54 +02:00