unclecode
|
7976b45817
|
fix(security): patch 4 vulns - file write, SSRF, monitor auth, XSS
Fixes for 4 vulnerabilities reported by Jeongbean Jeon (2026-04-13):
1. Arbitrary File Write (CVSS 9.1): /screenshot and /pdf output_path
now validated via validate_output_path() restricting writes to
CRAWL4AI_OUTPUT_DIR. Pydantic validator rejects '..' at schema level.
2. SSRF via Webhook (CVSS 8.6): validate_webhook_url() blocks private
IPs (RFC 1918, loopback, link-local, cloud metadata), dangerous
hostnames (localhost, metadata.google.internal, host.docker.internal).
Validated at job submission + send time. follow_redirects=False set.
3. Monitor Auth Bypass (CVSS 6.5): monitor_router now mounted with
dependencies=[Depends(token_dep)]. WebSocket /ws endpoint checks
CRAWL4AI_API_TOKEN from query params.
4. Stored XSS (CVSS 6.1): Server-side html.escape() on URLs and errors
in monitor.py. Client-side escapeHtml() wrapping all innerHTML
template injections in index.html (active/completed/error lists +
WebSocket updates).
33 adversarial security tests added.
DO NOT PUSH until release day. Merge to develop + tag + advisory together.
|
2026-04-13 11:29:54 +00:00 |
|