catlog22/Claude-Code-Workflow
1
0
Fork 0
mirror of https://github.com/catlog22/Claude-Code-Workflow.git synced 2026-03-04 15:53:07 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): Apply 3 critical security fixes

Browse Source 
- sec-001: Add validateAllowedPath to /api/file endpoint (path traversal)
- sec-002: Enable CSRF by default with CCW_DISABLE_CSRF opt-out
- sec-003: Add validateAllowedPath to /api/dialog/browse and /api/dialog/open-file (path traversal)

Ref: fix-1738072800000
This commit is contained in:
catlog22
2026-01-28 22:04:18 +08:00
parent ed0255b8a2
commit 502c8a09a1
5 changed files with 808 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
ccw/src/core/auth/csrf-middleware.ts
View File

@@ -113,9 +113,9 @@ export async function csrfValidation(ctx: CsrfMiddlewareContext): Promise<boolea
const { pathname, req, res } = ctx;
if (!pathname.startsWith('/api/')) return true;
// CSRF is disabled by default for local deployment scenarios.
// Set CCW_ENABLE_CSRF=1 to enable CSRF protection.
if (!envFlagEnabled('CCW_ENABLE_CSRF')) return true;
// CSRF is enabled by default for security.
// Set CCW_DISABLE_CSRF=1 to disable CSRF protection for local development.
if (envFlagEnabled('CCW_DISABLE_CSRF')) return true;
const method = (req.method || 'GET').toUpperCase();
if (!['POST', 'PUT', 'PATCH', 'DELETE'].includes(method)) return true;