Compare commits
4 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 Zimeng Xiong
|
bea26a3abd | ||
|
Sushil Kumar
|
a8615d9087 | ||
|
Zimeng Xiong
|
7c238701b7 | ||
|
Zimeng Xiong
|
c5c8b15e75 |
@@ -1,6 +1,6 @@
|
||||
<img src="logoExcaliDash.png" alt="ExcaliDash Logo" width="80" height="88">
|
||||
|
||||
# ExcaliDash v0.1.8
|
||||
# ExcaliDash
|
||||
|
||||
|
||||
|
||||
|
||||
+14
@@ -27,3 +27,17 @@ CSRF Protection (8a78b2b)
|
||||
- Updated docker-compose configurations with new environment variables
|
||||
- E2E test suite improvements and reliability fixes
|
||||
- Added Kubernetes deployment note in README
|
||||
|
||||
### Kubernetes
|
||||
|
||||
A `CSRF_SECRET` environment variable is now required for CSRF protection. Generate a secure 32+ character random string:
|
||||
|
||||
```bash
|
||||
openssl rand -base64 32
|
||||
|
||||
Add it to your deployment:
|
||||
- Docker Compose: Add CSRF_SECRET=<your-secret> to the backend service environment
|
||||
- Kubernetes: Add to your ConfigMap/Secret and reference in the backend deployment
|
||||
|
||||
If not set, the backend will refuse to start.
|
||||
```
|
||||
|
||||
+23
-9
@@ -30,7 +30,9 @@ let activeConfig: SecurityConfig = { ...defaultConfig };
|
||||
* Configure security settings
|
||||
* @param config Partial configuration to merge with defaults
|
||||
*/
|
||||
export const configureSecuritySettings = (config: Partial<SecurityConfig>): void => {
|
||||
export const configureSecuritySettings = (
|
||||
config: Partial<SecurityConfig>
|
||||
): void => {
|
||||
activeConfig = { ...activeConfig, ...config };
|
||||
};
|
||||
|
||||
@@ -318,10 +320,13 @@ export const appStateSchema = z
|
||||
.optional()
|
||||
.nullable(),
|
||||
currentItemRoundness: z
|
||||
.object({
|
||||
.union([
|
||||
z.enum(["sharp", "round"]),
|
||||
z.object({
|
||||
type: z.enum(["round", "sharp"]),
|
||||
value: z.number().finite().min(0).max(1),
|
||||
})
|
||||
}),
|
||||
])
|
||||
.optional()
|
||||
.nullable(),
|
||||
currentItemFontSize: z
|
||||
@@ -427,10 +432,19 @@ export const sanitizeDrawingData = (data: {
|
||||
];
|
||||
|
||||
// Dangerous URL protocols to block entirely
|
||||
const dangerousProtocols = [/^javascript:/i, /^vbscript:/i, /^data:text\/html/i];
|
||||
const dangerousProtocols = [
|
||||
/^javascript:/i,
|
||||
/^vbscript:/i,
|
||||
/^data:text\/html/i,
|
||||
];
|
||||
|
||||
// Suspicious patterns for security validation within data URLs
|
||||
const suspiciousPatterns = [/<script/i, /javascript:/i, /on\w+\s*=/i, /<iframe/i];
|
||||
const suspiciousPatterns = [
|
||||
/<script/i,
|
||||
/javascript:/i,
|
||||
/on\w+\s*=/i,
|
||||
/<iframe/i,
|
||||
];
|
||||
|
||||
// Maximum size for dataURL (configurable, default 10MB to prevent DoS)
|
||||
const MAX_DATAURL_SIZE = activeConfig.maxDataUrlSize;
|
||||
@@ -448,8 +462,8 @@ export const sanitizeDrawingData = (data: {
|
||||
const normalizedValue = value.toLowerCase();
|
||||
|
||||
// First, check for dangerous protocols - block these entirely
|
||||
const hasDangerousProtocol = dangerousProtocols.some((pattern) =>
|
||||
pattern.test(value)
|
||||
const hasDangerousProtocol = dangerousProtocols.some(
|
||||
(pattern) => pattern.test(value)
|
||||
);
|
||||
|
||||
if (hasDangerousProtocol) {
|
||||
@@ -465,8 +479,8 @@ export const sanitizeDrawingData = (data: {
|
||||
|
||||
if (isSafeImageType) {
|
||||
// Check for suspicious content and size limits
|
||||
const hasSuspiciousContent = suspiciousPatterns.some((pattern) =>
|
||||
pattern.test(value)
|
||||
const hasSuspiciousContent = suspiciousPatterns.some(
|
||||
(pattern) => pattern.test(value)
|
||||
);
|
||||
const isTooLarge = value.length > MAX_DATAURL_SIZE;
|
||||
|
||||
|
||||
@@ -301,6 +301,7 @@ export const Editor: React.FC = () => {
|
||||
|
||||
try {
|
||||
const persistableAppState = {
|
||||
...appState,
|
||||
viewBackgroundColor: appState?.viewBackgroundColor || '#ffffff',
|
||||
gridSize: appState?.gridSize || null,
|
||||
};
|
||||
|
||||
Reference in New Issue
Block a user