mirrors/puter
1
0
Fork 0
mirror of https://github.com/HeyPuter/puter synced 2024-11-15 06:15:47 +00:00
Code Issues Packages Projects Releases Wiki Activity
794 Commits 21 Branches 9 Tags 28 MiB
c99747d7f2
Commit Graph

794 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Nariman Jelveh
f5f35f2c37 Phase out openItem in IPC 
also fix the issue with directories being opened with notepad after setting notepad as default app for files without extensions.
 2024-04-24 23:12:57 -07:00
KernelDeimos
ccf1afc93c feat(security): add ip rate limiting 2024-04-24 22:35:40 -04:00
KernelDeimos
7800ef6102 fix(security): skip cache when checking old passwd 2024-04-24 22:28:27 -04:00
Nariman Jelveh
25eea41f60 Keep track of app_instance_ids 2024-04-24 17:57:30 -07:00
Nariman Jelveh
c21c16026b Update ko.js 2024-04-24 14:43:07 -07:00
KernelDeimos
74e9270d58 Fix 2024-04-24 16:16:31 -04:00
KernelDeimos
b2e72adba9 Add ratelimit for /confirm-email 2024-04-24 16:12:09 -04:00
KernelDeimos
1eac147918 Add ratelimit for /contactUs 2024-04-24 16:09:04 -04:00
スーチ・ファトマワティ
3f6f4bb4c0
fix(security): update follow-redirects 
When using axios, its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.

## Steps To Reproduce & PoC
```js
const axios = require('axios');

axios.get('http://127.0.0.1:10081/', {
 headers: {
 'AuThorization': 'Rear Test',
 'ProXy-AuthoriZation': 'Rear Test',
 'coOkie': 't=1'
 }
})
 .then((response) => {
 console.log(response);
 })
```
When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.

```diff
- removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
+ removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);
```
CWE-200
`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N`
CVE-2024-28849
 2024-04-24 15:23:47 -04:00
Sam Atkins
a8d1d3b87a
docs: Add help text to dcall utility (#335) 2024-04-24 15:21:31 -04:00
Nariman Jelveh
fb3dfc5672 Merge branch 'main' of https://github.com/HeyPuter/puter into main 2024-04-24 12:06:16 -07:00
Nariman Jelveh
cdd0231a76 translation fix 2024-04-24 12:06:05 -07:00
Eric Dubé
e9e43c059a
Merge pull request #342 from brhahlen/docker-ci-improvements 
Update Docker CI
 2024-04-24 15:04:29 -04:00
Nariman Jelveh
548e975cac remove unused imports, sanitization, and validation of input 2024-04-24 10:05:53 -07:00
Sam Atkins
cf0eee1fa3 feat: Add command names to phoenix tab-completion 
Gives CommandProviders a `complete(query, {ctx})` method where they can provide completed command names, and then make use of this in CommandCompleter.

Supported CommandProvider sources:
- Shell built-ins (was supported previously)
- PATH executables (when running under Node)
- Puter app names (when running in Puter)

Script filenames are not yet supported.
 2024-04-24 15:08:54 +01:00
Sam Atkins
dc5b010d09 feat: Allow querying puter-apps driver by partial app names 2024-04-24 15:08:54 +01:00
Sam Atkins
a854a0dc0a feat: Implement 'Like' predicate in entity storage 
This acts like the SQL 'LIKE' keyword, allowing partial string matches.
 2024-04-24 15:08:54 +01:00
Sam Atkins
d733119456 fix: Make PathCommandProvider reject queries with path separators 
`../bin/foo` should only find `foo` relative to the current working
directory, not to directories in PATH.

Also switch to using the Node path library since PathCommandProvider is
Node-only, and this means getting the correct path separator and
delimiter values on Windows.
 2024-04-24 11:45:21 +01:00
Sam Atkins
670673ab8d Rename FooCompleter js files to match FooCommandProvider file names 2024-04-24 11:19:25 +01:00
Ben Hählen
028b37b9d4 Update Docker CI 2024-04-24 11:29:44 +02:00
Xiayucheng1212
916e1bb95c Add local to url 2024-04-24 16:40:42 +08:00
Nariman Jelveh
c9e8207e4b Clean up the console warninf message 2024-04-23 23:53:15 -07:00
Nariman Jelveh
aef6df048c allow the <strong> tag in UIAlert 2024-04-23 23:06:04 -07:00
Nariman Jelveh
f8b2b18185 Update en.js 2024-04-23 22:49:16 -07:00
Nariman Jelveh
ce411ed728 Perform more advanced input and string sanitization and validation for performance and security 2024-04-23 22:46:33 -07:00
Nariman Jelveh
9859a32e15 Deprecate and remove UIWindowConfirmDownload 2024-04-23 16:35:28 -07:00
Nariman Jelveh
3be7af8fb8 Merge branch 'main' of https://github.com/HeyPuter/puter into main 2024-04-23 16:26:07 -07:00
Nariman Jelveh
5538649125 Update UIAlert.js 2024-04-23 16:25:57 -07:00
Eric Dubé
97ee951b1f
Merge pull request #339 from HeyPuter/eric/rate-limits 
Add ip rate limiting to some endpoints
 2024-04-23 19:24:17 -04:00
KernelDeimos
44aac16991 Add ip rate limiting 2024-04-23 19:13:37 -04:00
Nariman Jelveh
ab5fee1562 deprecate UIWindowGetCopyLink as it's not supported by the backend 2024-04-23 15:43:55 -07:00
KernelDeimos
65a73b5b45 Rename workspace modules to avoid confusion 2024-04-23 04:06:15 -04:00
KernelDeimos
74e213a534 fix(security): always use application/octet-stream 2024-04-22 23:54:03 -04:00
KernelDeimos
f9d561d40b docs: document purpose of scary-looking token 2024-04-22 23:48:45 -04:00
Nariman Jelveh
5066128c72
Merge pull request #329 from Eric-Lighthall/desktop-bg-revert 
feat: add option to change desktop background to default
 2024-04-22 20:26:39 -07:00
Eric Dubé
a2de5e3da2
Merge pull request #328 from HeyPuter/release-please--branches--main--components--puter.com 
chore(main): release 2.2.0
 2024-04-22 22:05:35 -04:00
github-actions[bot]
458f2eae4c
chore(main): release 2.2.0 2024-04-23 02:03:34 +00:00
KernelDeimos
c166560ff4 feat: add /healthcheck endpoint 2024-04-22 22:02:40 -04:00
Eric Lighthall
03f05f316f feat: add option to change desktop background to default 
users can now select 'default' as their desktop background
 2024-04-22 18:26:15 -07:00
Eric Dubé
331d9e7542
feat: allow apps to add a menubar via puter.js 
* Begin work on menubar and dropdowns

* Improve menubar

* Fix pointer event behavior

* Fix labels

* Fix active button

* Eliminate flicker

* Update _default.js

---------

Co-authored-by: Nariman Jelveh <n.jelveh@gmail.com>
 2024-04-22 20:38:16 -04:00
Eric Dubé
ec31007c4b
Update main.yml 2024-04-22 19:23:03 -04:00
Eric Dubé
e615c7ee7f
Update main.yml 2024-04-22 19:15:59 -04:00
Eric Dubé
35d4d4f755
Update main.yml 2024-04-22 19:14:21 -04:00
Eric Dubé
195468c4e1
Update main.yml 2024-04-22 19:11:51 -04:00
Eric Dubé
15f274e662
Create main.yml 2024-04-22 19:06:59 -04:00
Eric Dubé
7cb898457c
Merge pull request #323 from HeyPuter/release-please--branches--main--components--puter.com 
chore(main): release 2.1.1
 2024-04-22 18:50:43 -04:00
github-actions[bot]
aa4050ee32
chore(main): release 2.1.1 2024-04-22 22:42:20 +00:00
KernelDeimos
f392de722a fix: test release-please action #4 2024-04-22 18:40:49 -04:00
Eric Dubé
07d95d5d3c
Update release-please.yml 2024-04-22 18:34:13 -04:00
Eric Dubé
22c61d8221
Update release-please.yml 2024-04-22 18:18:35 -04:00