Update RELEASE.md with CSRF_SECRET instructions

Added instructions for the required CSRF_SECRET environment variable for CSRF protection in Kubernetes deployments.
2026-01-14 13:11:13 -08:00
2 changed files with 12 additions and 27 deletions
@@ -30,9 +30,7 @@ let activeConfig: SecurityConfig = { ...defaultConfig };
 * Configure security settings
 * @param config Partial configuration to merge with defaults
 */
-export const configureSecuritySettings = (
-  config: Partial<SecurityConfig>
-): void => {
+export const configureSecuritySettings = (config: Partial<SecurityConfig>): void => {
  activeConfig = { ...activeConfig, ...config };
 };

@@ -320,13 +318,10 @@ export const appStateSchema = z
      .optional()
      .nullable(),
    currentItemRoundness: z
-      .union([
-        z.enum(["sharp", "round"]),
-        z.object({
+      .object({
        type: z.enum(["round", "sharp"]),
        value: z.number().finite().min(0).max(1),
-        }),
-      ])
+      })
      .optional()
      .nullable(),
    currentItemFontSize: z
@@ -432,19 +427,10 @@ export const sanitizeDrawingData = (data: {
      ];

      // Dangerous URL protocols to block entirely
-      const dangerousProtocols = [
-        /^javascript:/i,
-        /^vbscript:/i,
-        /^data:text\/html/i,
-      ];
+      const dangerousProtocols = [/^javascript:/i, /^vbscript:/i, /^data:text\/html/i];

      // Suspicious patterns for security validation within data URLs
-      const suspiciousPatterns = [
-        /<script/i,
-        /javascript:/i,
-        /on\w+\s*=/i,
-        /<iframe/i,
-      ];
+      const suspiciousPatterns = [/<script/i, /javascript:/i, /on\w+\s*=/i, /<iframe/i];

      // Maximum size for dataURL (configurable, default 10MB to prevent DoS)
      const MAX_DATAURL_SIZE = activeConfig.maxDataUrlSize;
@@ -462,8 +448,8 @@ export const sanitizeDrawingData = (data: {
                const normalizedValue = value.toLowerCase();

                // First, check for dangerous protocols - block these entirely
-                const hasDangerousProtocol = dangerousProtocols.some(
-                  (pattern) => pattern.test(value)
+                const hasDangerousProtocol = dangerousProtocols.some((pattern) =>
+                  pattern.test(value)
                );

                if (hasDangerousProtocol) {
@@ -479,8 +465,8 @@ export const sanitizeDrawingData = (data: {

                if (isSafeImageType) {
                  // Check for suspicious content and size limits
-                  const hasSuspiciousContent = suspiciousPatterns.some(
-                    (pattern) => pattern.test(value)
+                  const hasSuspiciousContent = suspiciousPatterns.some((pattern) =>
+                    pattern.test(value)
                  );
                  const isTooLarge = value.length > MAX_DATAURL_SIZE;

@@ -301,7 +301,6 @@ export const Editor: React.FC = () => {

    try {
      const persistableAppState = {
-        ...appState,
        viewBackgroundColor: appState?.viewBackgroundColor || '#ffffff',
        gridSize: appState?.gridSize || null,
      };