mirror of
https://github.com/hicccc77/WeFlow.git
synced 2026-04-07 15:08:41 +00:00
62395b275d
1. Path traversal in /api/v1/media/ — use path.resolve() and verify resolved path stays within media base directory 2. DoS via unlimited POST body — add 10MB size limit to parseBody() 3. Default no-auth — reject all requests when httpApiToken is not configured instead of silently allowing everything 4. Overly permissive CORS — restrict Access-Control-Allow-Origin from wildcard (*) to localhost/127.0.0.1 only 5. Timing attack on token comparison — use crypto.timingSafeEqual() instead of === for token verification 6. Unsafe default bind address — revert httpApiHost default from 0.0.0.0 back to 127.0.0.1 to prevent network exposure Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>