Commit Graph

760 Commits

Author SHA1 Message Date
Nariman Jelveh
cb4776cc0e do not append question mark to app URL if there is no query params to append 2024-04-26 15:36:15 -07:00
Eric Dubé
2ee00ca8e6
Revert "fix(security): Prevent email enumeration" (#351) 2024-04-26 18:22:14 -04:00
Nariman Jelveh
a3ec7bb5ad Fix the issue with context submenu not closing parent menu when clicked 2024-04-25 23:14:39 -07:00
Nariman Jelveh
faa72fd97c Update UIWindow.js 2024-04-25 23:10:03 -07:00
Nariman Jelveh
378b87459a Add robust hostname comparison for when declaring an environment as GUI 2024-04-25 17:51:20 -07:00
KernelDeimos
30f17ade3a fix: use primary read in signup 2024-04-25 19:46:39 -04:00
KernelDeimos
ecec8bf75d Use pread for signup page 2024-04-25 19:44:06 -04:00
KernelDeimos
736ebb6f28 Improve server health service 2024-04-25 19:39:18 -04:00
Nariman Jelveh
928dd90f61
Merge pull request #346 from youngsiiimba/main
fix(security): Prevent email enumeration
2024-04-25 14:59:56 -07:00
KernelDeimos
eb166a67a9 fix(security): Fix session revocation 2024-04-25 16:19:46 -04:00
Nariman Jelveh
51a6d1ea1d Allow the <p> tag in UIAlert body 2024-04-25 13:19:03 -07:00
Nariman Jelveh
3cce0e88df Revert "Allow the <p> tag in UIAlert body"
This reverts commit e2dcc813ec.
2024-04-25 13:18:37 -07:00
Nariman Jelveh
e2dcc813ec Allow the <p> tag in UIAlert body 2024-04-25 13:18:28 -07:00
Nariman Jelveh
a572a0a640
Merge pull request #341 from Xiayucheng1212/pass_locale
Pass locale to the iframe url whenever accessing an app
2024-04-25 13:14:16 -07:00
Nariman Jelveh
c4b2d9861f Clean up some of the unnecessary console warnings 2024-04-25 13:11:11 -07:00
Simba Chawanda
ed70314686 fix(security): Prevent email enumeration 2024-04-25 09:27:37 +02:00
Nariman Jelveh
f5f35f2c37 Phase out openItem in IPC
also fix the issue with directories being opened with notepad after setting notepad as default app for files without extensions.
2024-04-24 23:12:57 -07:00
KernelDeimos
ccf1afc93c feat(security): add ip rate limiting 2024-04-24 22:35:40 -04:00
KernelDeimos
7800ef6102 fix(security): skip cache when checking old passwd 2024-04-24 22:28:27 -04:00
Nariman Jelveh
25eea41f60 Keep track of app_instance_ids 2024-04-24 17:57:30 -07:00
Nariman Jelveh
c21c16026b Update ko.js 2024-04-24 14:43:07 -07:00
KernelDeimos
74e9270d58 Fix 2024-04-24 16:16:31 -04:00
KernelDeimos
b2e72adba9 Add ratelimit for /confirm-email 2024-04-24 16:12:09 -04:00
KernelDeimos
1eac147918 Add ratelimit for /contactUs 2024-04-24 16:09:04 -04:00
スーチ・ファトマワティ
3f6f4bb4c0
fix(security): update follow-redirects
When using axios, its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.

## Steps To Reproduce & PoC
```js
const axios = require('axios');

axios.get('http://127.0.0.1:10081/', {
 headers: {
 'AuThorization': 'Rear Test',
 'ProXy-AuthoriZation': 'Rear Test',
 'coOkie': 't=1'
 }
})
 .then((response) => {
 console.log(response);
 })
```
When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.

```diff
- removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
+ removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);
```
CWE-200
`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N`
CVE-2024-28849
2024-04-24 15:23:47 -04:00
Sam Atkins
a8d1d3b87a
docs: Add help text to dcall utility (#335) 2024-04-24 15:21:31 -04:00
Nariman Jelveh
fb3dfc5672 Merge branch 'main' of https://github.com/HeyPuter/puter into main 2024-04-24 12:06:16 -07:00
Nariman Jelveh
cdd0231a76 translation fix 2024-04-24 12:06:05 -07:00
Eric Dubé
e9e43c059a
Merge pull request #342 from brhahlen/docker-ci-improvements
Update Docker CI
2024-04-24 15:04:29 -04:00
Nariman Jelveh
548e975cac remove unused imports, sanitization, and validation of input 2024-04-24 10:05:53 -07:00
Sam Atkins
cf0eee1fa3 feat: Add command names to phoenix tab-completion
Gives CommandProviders a `complete(query, {ctx})` method where they can provide completed command names, and then make use of this in CommandCompleter.

Supported CommandProvider sources:
- Shell built-ins (was supported previously)
- PATH executables (when running under Node)
- Puter app names (when running in Puter)

Script filenames are not yet supported.
2024-04-24 15:08:54 +01:00
Sam Atkins
dc5b010d09 feat: Allow querying puter-apps driver by partial app names 2024-04-24 15:08:54 +01:00
Sam Atkins
a854a0dc0a feat: Implement 'Like' predicate in entity storage
This acts like the SQL 'LIKE' keyword, allowing partial string matches.
2024-04-24 15:08:54 +01:00
Sam Atkins
d733119456 fix: Make PathCommandProvider reject queries with path separators
`../bin/foo` should only find `foo` relative to the current working
directory, not to directories in PATH.

Also switch to using the Node path library since PathCommandProvider is
Node-only, and this means getting the correct path separator and
delimiter values on Windows.
2024-04-24 11:45:21 +01:00
Sam Atkins
670673ab8d Rename FooCompleter js files to match FooCommandProvider file names 2024-04-24 11:19:25 +01:00
Ben Hählen
028b37b9d4 Update Docker CI 2024-04-24 11:29:44 +02:00
Xiayucheng1212
916e1bb95c Add local to url 2024-04-24 16:40:42 +08:00
Nariman Jelveh
c9e8207e4b Clean up the console warninf message 2024-04-23 23:53:15 -07:00
Nariman Jelveh
aef6df048c allow the <strong> tag in UIAlert 2024-04-23 23:06:04 -07:00
Nariman Jelveh
f8b2b18185 Update en.js 2024-04-23 22:49:16 -07:00
Nariman Jelveh
ce411ed728 Perform more advanced input and string sanitization and validation for performance and security 2024-04-23 22:46:33 -07:00
Nariman Jelveh
9859a32e15 Deprecate and remove UIWindowConfirmDownload 2024-04-23 16:35:28 -07:00
Nariman Jelveh
3be7af8fb8 Merge branch 'main' of https://github.com/HeyPuter/puter into main 2024-04-23 16:26:07 -07:00
Nariman Jelveh
5538649125 Update UIAlert.js 2024-04-23 16:25:57 -07:00
Eric Dubé
97ee951b1f
Merge pull request #339 from HeyPuter/eric/rate-limits
Add ip rate limiting to some endpoints
2024-04-23 19:24:17 -04:00
KernelDeimos
44aac16991 Add ip rate limiting 2024-04-23 19:13:37 -04:00
Nariman Jelveh
ab5fee1562 deprecate UIWindowGetCopyLink as it's not supported by the backend 2024-04-23 15:43:55 -07:00
KernelDeimos
65a73b5b45 Rename workspace modules to avoid confusion 2024-04-23 04:06:15 -04:00
KernelDeimos
74e213a534 fix(security): always use application/octet-stream 2024-04-22 23:54:03 -04:00
KernelDeimos
f9d561d40b docs: document purpose of scary-looking token 2024-04-22 23:48:45 -04:00