Nariman Jelveh
c21c16026b
Update ko.js
2024-04-24 14:43:07 -07:00
KernelDeimos
74e9270d58
Fix
2024-04-24 16:16:31 -04:00
KernelDeimos
b2e72adba9
Add ratelimit for /confirm-email
2024-04-24 16:12:09 -04:00
KernelDeimos
1eac147918
Add ratelimit for /contactUs
2024-04-24 16:09:04 -04:00
スーチ・ファトマワティ
3f6f4bb4c0
fix(security): update follow-redirects
...
When using axios, its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.
## Steps To Reproduce & PoC
```js
const axios = require('axios');
axios.get('http://127.0.0.1:10081/ ', {
headers: {
'AuThorization': 'Rear Test',
'ProXy-AuthoriZation': 'Rear Test',
'coOkie': 't=1'
}
})
.then((response) => {
console.log(response);
})
```
When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.
```diff
- removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
+ removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);
```
CWE-200
`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N`
CVE-2024-28849
2024-04-24 15:23:47 -04:00
Sam Atkins
a8d1d3b87a
docs: Add help text to dcall utility ( #335 )
2024-04-24 15:21:31 -04:00
Nariman Jelveh
fb3dfc5672
Merge branch 'main' of https://github.com/HeyPuter/puter into main
2024-04-24 12:06:16 -07:00
Nariman Jelveh
cdd0231a76
translation fix
2024-04-24 12:06:05 -07:00
Eric Dubé
e9e43c059a
Merge pull request #342 from brhahlen/docker-ci-improvements
...
Update Docker CI
2024-04-24 15:04:29 -04:00
Nariman Jelveh
548e975cac
remove unused imports, sanitization, and validation of input
2024-04-24 10:05:53 -07:00
Sam Atkins
cf0eee1fa3
feat: Add command names to phoenix tab-completion
...
Gives CommandProviders a `complete(query, {ctx})` method where they can provide completed command names, and then make use of this in CommandCompleter.
Supported CommandProvider sources:
- Shell built-ins (was supported previously)
- PATH executables (when running under Node)
- Puter app names (when running in Puter)
Script filenames are not yet supported.
2024-04-24 15:08:54 +01:00
Sam Atkins
dc5b010d09
feat: Allow querying puter-apps driver by partial app names
2024-04-24 15:08:54 +01:00
Sam Atkins
a854a0dc0a
feat: Implement 'Like' predicate in entity storage
...
This acts like the SQL 'LIKE' keyword, allowing partial string matches.
2024-04-24 15:08:54 +01:00
Sam Atkins
d733119456
fix: Make PathCommandProvider reject queries with path separators
...
`../bin/foo` should only find `foo` relative to the current working
directory, not to directories in PATH.
Also switch to using the Node path library since PathCommandProvider is
Node-only, and this means getting the correct path separator and
delimiter values on Windows.
2024-04-24 11:45:21 +01:00
Sam Atkins
670673ab8d
Rename FooCompleter js files to match FooCommandProvider file names
2024-04-24 11:19:25 +01:00
Ben Hählen
028b37b9d4
Update Docker CI
2024-04-24 11:29:44 +02:00
Xiayucheng1212
916e1bb95c
Add local to url
2024-04-24 16:40:42 +08:00
Nariman Jelveh
c9e8207e4b
Clean up the console warninf message
2024-04-23 23:53:15 -07:00
Nariman Jelveh
aef6df048c
allow the <strong>
tag in UIAlert
2024-04-23 23:06:04 -07:00
Nariman Jelveh
f8b2b18185
Update en.js
2024-04-23 22:49:16 -07:00
Nariman Jelveh
ce411ed728
Perform more advanced input and string sanitization and validation for performance and security
2024-04-23 22:46:33 -07:00
Nariman Jelveh
9859a32e15
Deprecate and remove UIWindowConfirmDownload
2024-04-23 16:35:28 -07:00
Nariman Jelveh
3be7af8fb8
Merge branch 'main' of https://github.com/HeyPuter/puter into main
2024-04-23 16:26:07 -07:00
Nariman Jelveh
5538649125
Update UIAlert.js
2024-04-23 16:25:57 -07:00
Eric Dubé
97ee951b1f
Merge pull request #339 from HeyPuter/eric/rate-limits
...
Add ip rate limiting to some endpoints
2024-04-23 19:24:17 -04:00
KernelDeimos
44aac16991
Add ip rate limiting
2024-04-23 19:13:37 -04:00
Nariman Jelveh
ab5fee1562
deprecate UIWindowGetCopyLink
as it's not supported by the backend
2024-04-23 15:43:55 -07:00
KernelDeimos
65a73b5b45
Rename workspace modules to avoid confusion
2024-04-23 04:06:15 -04:00
KernelDeimos
74e213a534
fix(security): always use application/octet-stream
2024-04-22 23:54:03 -04:00
KernelDeimos
f9d561d40b
docs: document purpose of scary-looking token
2024-04-22 23:48:45 -04:00
Nariman Jelveh
5066128c72
Merge pull request #329 from Eric-Lighthall/desktop-bg-revert
...
feat: add option to change desktop background to default
2024-04-22 20:26:39 -07:00
Eric Dubé
a2de5e3da2
Merge pull request #328 from HeyPuter/release-please--branches--main--components--puter.com
...
chore(main): release 2.2.0
2024-04-22 22:05:35 -04:00
github-actions[bot]
458f2eae4c
chore(main): release 2.2.0
2024-04-23 02:03:34 +00:00
KernelDeimos
c166560ff4
feat: add /healthcheck endpoint
2024-04-22 22:02:40 -04:00
Eric Lighthall
03f05f316f
feat: add option to change desktop background to default
...
users can now select 'default' as their desktop background
2024-04-22 18:26:15 -07:00
Eric Dubé
331d9e7542
feat: allow apps to add a menubar via puter.js
...
* Begin work on menubar and dropdowns
* Improve menubar
* Fix pointer event behavior
* Fix labels
* Fix active button
* Eliminate flicker
* Update _default.js
---------
Co-authored-by: Nariman Jelveh <n.jelveh@gmail.com>
2024-04-22 20:38:16 -04:00
Eric Dubé
ec31007c4b
Update main.yml
2024-04-22 19:23:03 -04:00
Eric Dubé
e615c7ee7f
Update main.yml
2024-04-22 19:15:59 -04:00
Eric Dubé
35d4d4f755
Update main.yml
2024-04-22 19:14:21 -04:00
Eric Dubé
195468c4e1
Update main.yml
2024-04-22 19:11:51 -04:00
Eric Dubé
15f274e662
Create main.yml
2024-04-22 19:06:59 -04:00
Eric Dubé
7cb898457c
Merge pull request #323 from HeyPuter/release-please--branches--main--components--puter.com
...
chore(main): release 2.1.1
2024-04-22 18:50:43 -04:00
github-actions[bot]
aa4050ee32
chore(main): release 2.1.1
2024-04-22 22:42:20 +00:00
KernelDeimos
f392de722a
fix: test release-please action #4
2024-04-22 18:40:49 -04:00
Eric Dubé
07d95d5d3c
Update release-please.yml
2024-04-22 18:34:13 -04:00
Eric Dubé
22c61d8221
Update release-please.yml
2024-04-22 18:18:35 -04:00
KernelDeimos
8fb0a66ef2
fix: test release-please action #3
2024-04-22 18:16:08 -04:00
KernelDeimos
d5cd828cba
chore: test release-please action #2
2024-04-22 18:12:35 -04:00
KernelDeimos
0119ae36a8
chore: test release-please action #1
2024-04-22 17:51:03 -04:00
Eric Dubé
87852d125f
Only deploy docker image on release branch
2024-04-22 17:47:47 -04:00