Conversation
Update project and docs to v1.4.2: bump version in package.json and wiki/package.json, update API spec versions in api-docs/openapi.yaml and public/openapi.yaml, and add a v1.4.2 entry to wiki/changelog.md (release in progress) including Docker image tags and supported platforms.
Set explicit `permissions: contents: read` on sync-gitlab.yml and validate.yml to restrict GITHUB_TOKEN privileges. Replace regex-based folderPath trimming in OneDrive route with iterative string trimming to avoid a potential polynomial ReDoS (sanitize user input without regex). Update changelog to document the security fix and CI permission change.
Fix Google Drive query building to escape backslashes before single quotes to prevent query injection. Update ApiKeyService to use HMAC-SHA256 for key hashing, add legacy SHA-256 lookup and automatic migration of existing keys, and log migrations. Adjust unit test helpers to properly escape regex metacharacters when converting globs to regex. Update changelog entries to reflect these fixes.
Block access to sensitive system paths in the filesystem API (deny requests under /proc, /sys, /dev, /etc/shadow with 403). Add Zip Slip protections to TAR extraction routines (use path.basename for entries and validate output path startsWith the extraction dir) in common tar-utils and the MSSQL restore flow. Remove environment-derived certificate directory from TLS warning to avoid logging sensitive directory info. Update changelog to reflect these security hardenings.
Replace explicit certsDir path in TLS/server console messages with a generic "configured CERTS_DIR" to avoid leaking filesystem paths. Update wiki/changelog.md for v1.4.2: mark the release date (April 2, 2026), emphasize security fixes, adjust emojis/headers, and clarify Docker section.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Replace HMAC-SHA256 hashing with scrypt for API key storage (N=16384, r=8, p=1, 32-byte key) to improve resistance to brute-force attacks (CWE-916). Update migration logic to fallback to legacy SHA-256 and re-hash found legacy keys to scrypt, update log message accordingly. Adjust and extend unit tests to assert scrypt-based hashes, determinism, that scrypt differs from plain SHA-256, and that legacy keys are migrated; update changelog entry to reflect the change.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.