Fix RCE vulnerability and harden security
- Replace eval() with ast.literal_eval() in pdf_utils.py to fix unauthenticated remote code execution via crafted PDF uploads (reported by OX Security) - Sanitize HTML output with DOMPurify to prevent XSS - Restrict CORS origins (configurable via CORS_ORIGINS env var) - Suppress raw exception details in API error responses - Cap Image.MAX_IMAGE_PIXELS to prevent decompression bomb DoS - Add security regression test suite Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -11,6 +11,9 @@ FRONTEND_PORT=3000
|
||||
MODEL_NAME=deepseek-ai/DeepSeek-OCR
|
||||
HF_HOME=/models
|
||||
|
||||
# CORS Configuration (comma-separated origins, defaults to http://localhost:3000)
|
||||
CORS_ORIGINS=http://localhost:3000
|
||||
|
||||
# Upload Configuration
|
||||
MAX_UPLOAD_SIZE_MB=100
|
||||
|
||||
|
||||
Reference in New Issue
Block a user