Fix RCE vulnerability and harden security
- Replace eval() with ast.literal_eval() in pdf_utils.py to fix unauthenticated remote code execution via crafted PDF uploads (reported by OX Security) - Sanitize HTML output with DOMPurify to prevent XSS - Restrict CORS origins (configurable via CORS_ORIGINS env var) - Suppress raw exception details in API error responses - Cap Image.MAX_IMAGE_PIXELS to prevent decompression bomb DoS - Add security regression test suite Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -10,6 +10,7 @@
|
||||
},
|
||||
"dependencies": {
|
||||
"axios": "^1.6.5",
|
||||
"dompurify": "^3.3.3",
|
||||
"framer-motion": "^11.0.0",
|
||||
"lucide-react": "^0.344.0",
|
||||
"react": "^18.3.1",
|
||||
|
||||
@@ -2,6 +2,7 @@ import { useEffect, useRef, useState, useCallback } from 'react'
|
||||
import { motion, AnimatePresence } from 'framer-motion'
|
||||
import { Copy, Download, Sparkles, Loader2, CheckCircle2, ChevronDown } from 'lucide-react'
|
||||
import ReactMarkdown from 'react-markdown'
|
||||
import DOMPurify from 'dompurify'
|
||||
|
||||
export default function ResultPanel({ result, loading, imagePreview, onCopy, onDownload }) {
|
||||
const canvasRef = useRef(null)
|
||||
@@ -230,7 +231,7 @@ export default function ResultPanel({ result, loading, imagePreview, onCopy, onD
|
||||
{isHTML ? (
|
||||
<div
|
||||
className="prose prose-invert prose-sm max-w-none"
|
||||
dangerouslySetInnerHTML={{ __html: result.text }}
|
||||
dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(result.text) }}
|
||||
style={{
|
||||
color: '#e5e7eb',
|
||||
}}
|
||||
|
||||
Reference in New Issue
Block a user