Fix security bugs and migrate image uploads to /api/v1/attachments

Browse Source

* Replace /api/v1/resources with /api/v1/attachments for image uploads
* Upload attachments as JSON with base64-encoded content field
* After memo creation, link each attachment via PATCH /api/v1/attachments/{id}
* Rewrite markdown image URLs to use /file/attachments/{id} pattern
* Fix XSS: sanitize marked.parse output with a DOM-based allowlist sanitizer
* Fix SSRF: validate img.src scheme (http/https only) before fetching
* Fix stack overflow: use chunked base64 encoding for large images
* Update CLAUDE.md to document new attachment flow

...

This commit is contained in:

Paul Spenke

2026-03-18 17:55:04 +01:00

parent 42d9f336b1

commit 84b3dd69f1

11 changed files with 274 additions and 119 deletions

Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL

Download Patch File Download Diff File Expand all files Collapse all files

BIN

src/icons/icon32.png

Binary file not shown.

Side by Side Swipe Overlay Before Width:  |  Height:  |  Size: 1.0 KiB After Width:  |  Height:  |  Size: 3.0 KiB