Commit Graph

840 Commits

Author SHA1 Message Date
Nariman Jelveh
c21c16026b Update ko.js 2024-04-24 14:43:07 -07:00
KernelDeimos
74e9270d58 Fix 2024-04-24 16:16:31 -04:00
KernelDeimos
b2e72adba9 Add ratelimit for /confirm-email 2024-04-24 16:12:09 -04:00
KernelDeimos
1eac147918 Add ratelimit for /contactUs 2024-04-24 16:09:04 -04:00
スーチ・ファトマワティ
3f6f4bb4c0
fix(security): update follow-redirects
When using axios, its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.

## Steps To Reproduce & PoC
```js
const axios = require('axios');

axios.get('http://127.0.0.1:10081/', {
 headers: {
 'AuThorization': 'Rear Test',
 'ProXy-AuthoriZation': 'Rear Test',
 'coOkie': 't=1'
 }
})
 .then((response) => {
 console.log(response);
 })
```
When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.

```diff
- removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
+ removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);
```
CWE-200
`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N`
CVE-2024-28849
2024-04-24 15:23:47 -04:00
Sam Atkins
a8d1d3b87a
docs: Add help text to dcall utility (#335) 2024-04-24 15:21:31 -04:00
Nariman Jelveh
fb3dfc5672 Merge branch 'main' of https://github.com/HeyPuter/puter into main 2024-04-24 12:06:16 -07:00
Nariman Jelveh
cdd0231a76 translation fix 2024-04-24 12:06:05 -07:00
Eric Dubé
e9e43c059a
Merge pull request #342 from brhahlen/docker-ci-improvements
Update Docker CI
2024-04-24 15:04:29 -04:00
Nariman Jelveh
548e975cac remove unused imports, sanitization, and validation of input 2024-04-24 10:05:53 -07:00
Sam Atkins
cf0eee1fa3 feat: Add command names to phoenix tab-completion
Gives CommandProviders a `complete(query, {ctx})` method where they can provide completed command names, and then make use of this in CommandCompleter.

Supported CommandProvider sources:
- Shell built-ins (was supported previously)
- PATH executables (when running under Node)
- Puter app names (when running in Puter)

Script filenames are not yet supported.
2024-04-24 15:08:54 +01:00
Sam Atkins
dc5b010d09 feat: Allow querying puter-apps driver by partial app names 2024-04-24 15:08:54 +01:00
Sam Atkins
a854a0dc0a feat: Implement 'Like' predicate in entity storage
This acts like the SQL 'LIKE' keyword, allowing partial string matches.
2024-04-24 15:08:54 +01:00
Sam Atkins
d733119456 fix: Make PathCommandProvider reject queries with path separators
`../bin/foo` should only find `foo` relative to the current working
directory, not to directories in PATH.

Also switch to using the Node path library since PathCommandProvider is
Node-only, and this means getting the correct path separator and
delimiter values on Windows.
2024-04-24 11:45:21 +01:00
Sam Atkins
670673ab8d Rename FooCompleter js files to match FooCommandProvider file names 2024-04-24 11:19:25 +01:00
Ben Hählen
028b37b9d4 Update Docker CI 2024-04-24 11:29:44 +02:00
Xiayucheng1212
916e1bb95c Add local to url 2024-04-24 16:40:42 +08:00
Nariman Jelveh
c9e8207e4b Clean up the console warninf message 2024-04-23 23:53:15 -07:00
Nariman Jelveh
aef6df048c allow the <strong> tag in UIAlert 2024-04-23 23:06:04 -07:00
Nariman Jelveh
f8b2b18185 Update en.js 2024-04-23 22:49:16 -07:00
Nariman Jelveh
ce411ed728 Perform more advanced input and string sanitization and validation for performance and security 2024-04-23 22:46:33 -07:00
Nariman Jelveh
9859a32e15 Deprecate and remove UIWindowConfirmDownload 2024-04-23 16:35:28 -07:00
Nariman Jelveh
3be7af8fb8 Merge branch 'main' of https://github.com/HeyPuter/puter into main 2024-04-23 16:26:07 -07:00
Nariman Jelveh
5538649125 Update UIAlert.js 2024-04-23 16:25:57 -07:00
Eric Dubé
97ee951b1f
Merge pull request #339 from HeyPuter/eric/rate-limits
Add ip rate limiting to some endpoints
2024-04-23 19:24:17 -04:00
KernelDeimos
44aac16991 Add ip rate limiting 2024-04-23 19:13:37 -04:00
Nariman Jelveh
ab5fee1562 deprecate UIWindowGetCopyLink as it's not supported by the backend 2024-04-23 15:43:55 -07:00
KernelDeimos
65a73b5b45 Rename workspace modules to avoid confusion 2024-04-23 04:06:15 -04:00
KernelDeimos
74e213a534 fix(security): always use application/octet-stream 2024-04-22 23:54:03 -04:00
KernelDeimos
f9d561d40b docs: document purpose of scary-looking token 2024-04-22 23:48:45 -04:00
Nariman Jelveh
5066128c72
Merge pull request #329 from Eric-Lighthall/desktop-bg-revert
feat: add option to change desktop background to default
2024-04-22 20:26:39 -07:00
Eric Dubé
a2de5e3da2
Merge pull request #328 from HeyPuter/release-please--branches--main--components--puter.com
chore(main): release 2.2.0
2024-04-22 22:05:35 -04:00
github-actions[bot]
458f2eae4c
chore(main): release 2.2.0 2024-04-23 02:03:34 +00:00
KernelDeimos
c166560ff4 feat: add /healthcheck endpoint 2024-04-22 22:02:40 -04:00
Eric Lighthall
03f05f316f feat: add option to change desktop background to default
users can now select 'default' as their desktop background
2024-04-22 18:26:15 -07:00
Eric Dubé
331d9e7542
feat: allow apps to add a menubar via puter.js
* Begin work on menubar and dropdowns

* Improve menubar

* Fix pointer event behavior

* Fix labels

* Fix active button

* Eliminate flicker

* Update _default.js

---------

Co-authored-by: Nariman Jelveh <n.jelveh@gmail.com>
2024-04-22 20:38:16 -04:00
Eric Dubé
ec31007c4b
Update main.yml 2024-04-22 19:23:03 -04:00
Eric Dubé
e615c7ee7f
Update main.yml 2024-04-22 19:15:59 -04:00
Eric Dubé
35d4d4f755
Update main.yml 2024-04-22 19:14:21 -04:00
Eric Dubé
195468c4e1
Update main.yml 2024-04-22 19:11:51 -04:00
Eric Dubé
15f274e662
Create main.yml 2024-04-22 19:06:59 -04:00
Eric Dubé
7cb898457c
Merge pull request #323 from HeyPuter/release-please--branches--main--components--puter.com
chore(main): release 2.1.1
2024-04-22 18:50:43 -04:00
github-actions[bot]
aa4050ee32
chore(main): release 2.1.1 2024-04-22 22:42:20 +00:00
KernelDeimos
f392de722a fix: test release-please action #4 2024-04-22 18:40:49 -04:00
Eric Dubé
07d95d5d3c
Update release-please.yml 2024-04-22 18:34:13 -04:00
Eric Dubé
22c61d8221
Update release-please.yml 2024-04-22 18:18:35 -04:00
KernelDeimos
8fb0a66ef2 fix: test release-please action #3 2024-04-22 18:16:08 -04:00
KernelDeimos
d5cd828cba chore: test release-please action #2 2024-04-22 18:12:35 -04:00
KernelDeimos
0119ae36a8 chore: test release-please action #1 2024-04-22 17:51:03 -04:00
Eric Dubé
87852d125f
Only deploy docker image on release branch 2024-04-22 17:47:47 -04:00