mirrors/puter
1
0
Fork 0
mirror of https://github.com/HeyPuter/puter synced 2024-11-15 14:26:10 +00:00
Code Issues Packages Projects Releases Wiki Activity
687 Commits 21 Branches 9 Tags 28 MiB
4a426ce045
Commit Graph

175 Commits

Author SHA1 Message Date
KernelDeimos
8e6ee9ea79 Fix oversight in token compression 2024-04-29 22:48:10 -04:00
KernelDeimos
e7e7363fa7 Drop useless header 2024-04-29 22:34:19 -04:00
KernelDeimos
5a76bad28d fix: reduce token lengths 2024-04-29 21:46:02 -04:00
KernelDeimos
c1e4eeec32 Add TokenService and test utility 2024-04-29 21:11:31 -04:00
KernelDeimos
04432df554 feat: improve password recovery experience 2024-04-29 19:26:29 -04:00
KernelDeimos
c44028f413 refactor: normalize email calls 2024-04-29 17:34:24 -04:00
Nariman Jelveh
42d85abfc2 Update WebServerService.js 2024-04-27 19:10:10 -07:00
Nariman Jelveh
fd4e2f59dc Update WebServerService.js 2024-04-27 19:03:48 -07:00
Nariman Jelveh
053728a03f Validate the Host header before responding to requests 2024-04-27 18:52:01 -07:00
KernelDeimos
d7d6ff0cca Rate limit updates 2024-04-26 21:02:01 -04:00
KernelDeimos
79d6f64451 Notify old email when email change is initiated 2024-04-26 21:02:01 -04:00
Eric Dubé
2ee00ca8e6
Revert "fix(security): Prevent email enumeration" (#351) 2024-04-26 18:22:14 -04:00
Nariman Jelveh
378b87459a Add robust hostname comparison for when declaring an environment as GUI 2024-04-25 17:51:20 -07:00
KernelDeimos
ecec8bf75d Use pread for signup page 2024-04-25 19:44:06 -04:00
KernelDeimos
736ebb6f28 Improve server health service 2024-04-25 19:39:18 -04:00
Nariman Jelveh
928dd90f61
Merge pull request #346 from youngsiiimba/main 
fix(security): Prevent email enumeration
 2024-04-25 14:59:56 -07:00
KernelDeimos
eb166a67a9 fix(security): Fix session revocation 2024-04-25 16:19:46 -04:00
Nariman Jelveh
c4b2d9861f Clean up some of the unnecessary console warnings 2024-04-25 13:11:11 -07:00
Simba Chawanda
ed70314686 fix(security): Prevent email enumeration 2024-04-25 09:27:37 +02:00
KernelDeimos
7800ef6102 fix(security): skip cache when checking old passwd 2024-04-24 22:28:27 -04:00
Nariman Jelveh
25eea41f60 Keep track of app_instance_ids 2024-04-24 17:57:30 -07:00
KernelDeimos
74e9270d58 Fix 2024-04-24 16:16:31 -04:00
KernelDeimos
b2e72adba9 Add ratelimit for /confirm-email 2024-04-24 16:12:09 -04:00
KernelDeimos
1eac147918 Add ratelimit for /contactUs 2024-04-24 16:09:04 -04:00
スーチ・ファトマワティ
3f6f4bb4c0
fix(security): update follow-redirects 
When using axios, its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.

## Steps To Reproduce & PoC
```js
const axios = require('axios');

axios.get('http://127.0.0.1:10081/', {
 headers: {
 'AuThorization': 'Rear Test',
 'ProXy-AuthoriZation': 'Rear Test',
 'coOkie': 't=1'
 }
})
 .then((response) => {
 console.log(response);
 })
```
When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.

```diff
- removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
+ removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);
```
CWE-200
`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N`
CVE-2024-28849
 2024-04-24 15:23:47 -04:00
Sam Atkins
a8d1d3b87a
docs: Add help text to dcall utility (#335) 2024-04-24 15:21:31 -04:00
Nariman Jelveh
cdd0231a76 translation fix 2024-04-24 12:06:05 -07:00
Nariman Jelveh
c9e8207e4b Clean up the console warninf message 2024-04-23 23:53:15 -07:00
KernelDeimos
44aac16991 Add ip rate limiting 2024-04-23 19:13:37 -04:00
KernelDeimos
65a73b5b45 Rename workspace modules to avoid confusion 2024-04-23 04:06:15 -04:00
KernelDeimos
74e213a534 fix(security): always use application/octet-stream 2024-04-22 23:54:03 -04:00
KernelDeimos
f9d561d40b docs: document purpose of scary-looking token 2024-04-22 23:48:45 -04:00
KernelDeimos
c166560ff4 feat: add /healthcheck endpoint 2024-04-22 22:02:40 -04:00
Eric Dubé
331d9e7542
feat: allow apps to add a menubar via puter.js 
* Begin work on menubar and dropdowns

* Improve menubar

* Fix pointer event behavior

* Fix labels

* Fix active button

* Eliminate flicker

* Update _default.js

---------

Co-authored-by: Nariman Jelveh <n.jelveh@gmail.com>
 2024-04-22 20:38:16 -04:00
Nariman Jelveh
3cba4cab1e Disable iframing of the main domain using meta tags as well 2024-04-22 14:14:20 -07:00
Nariman Jelveh
ef35a04c4a Disable iframing of the main domain 2024-04-22 14:09:32 -07:00
KernelDeimos
eee5c9e48b Cleanup 2024-04-22 16:29:12 -04:00
KernelDeimos
2f5780d1d1 Cleanup 2024-04-22 16:28:22 -04:00
KernelDeimos
a741bd5419 Make errors in /batch more preemptive 2024-04-22 04:35:01 -04:00
KernelDeimos
4d2d4a7ca3 Fix 86888h53w 2024-04-21 22:06:36 -04:00
KernelDeimos
5c1e6ab16b Fix false-positive password recovery response 2024-04-21 18:28:58 -04:00
KernelDeimos
b2f5cc11b5 Fix dbrr reference 2024-04-21 17:10:18 -04:00
Eric Dubé
dc2a620b4e
Merge pull request #304 from HeyPuter/eric/stdio-bridge/2 
stdio-bridge 2
 2024-04-20 19:29:15 -04:00
KernelDeimos
58b83c27f2 Remove large log 2024-04-20 07:23:32 -04:00
KernelDeimos
27553ef926 Cleanup 2024-04-19 23:35:56 -04:00
KernelDeimos
3f249fcc89 Fix pipes 2024-04-19 23:31:23 -04:00
KernelDeimos
c3654ab148 Add more streaming fixes 2024-04-19 23:24:32 -04:00
KernelDeimos
0e9e8d41d9 Fix authorizer not defined 2024-04-19 17:12:15 -04:00
Sam Atkins
2f49c1c9b0 Remove a whole load of noisy log messages 
These can be added back if and when we need them, but right now, it's
hard to follow console output with all this chatter. 😅
 2024-04-19 17:29:26 +01:00
Sam Atkins
072dbe8db5 Make BetterReader buffer and cancel, to fix stdin data loss 
BetterReader.read_with_cancel() returns both the read promise, and a
function that can be used to cancel the read. A cancelled read is
placed back into the BetterReader's chunk buffer, to be consumed by the
next user that requests a read.

This is used by Coupler so that when the coupler is closed, its pending
read() call does not consume the next batch of input.

This fixes the problem we were having with child applications consuming
one chunk of stdin after they are closed, meaning the first key you
press after an app exits would disappear.

Co-authored-by: KernelDeimos <eric.alex.dube@gmail.com>
 2024-04-19 15:52:59 +01:00