Andreas/LibreChat
1
0
Fork 0
mirror of https://github.com/danny-avila/LibreChat.git synced 2025-12-17 08:50:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 7

🛡️ : Security Enhancements (#1681)

Browse source 
* fix: sanitize HTTP params and do not send whole error objects backs

* fix: prevent path traversal

* fix: send custom error message for tokenizer route

* chore: handle info exposure vector

* chore(oauth): skip check due to false positive as oauth routes are rate-limited

* chore(app): disable `x-powered-by`

* chore: disable false positives or flagging of hardcoded secrets when they are fake values

* chore: add path traversal safety check
This commit is contained in:
Danny Avila 2024-01-30 14:34:02 -05:00 committed by GitHub
parent 9fad1b2cae
commit 972402e029
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
23 changed files with 72 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

20
api/server/routes/convos.js
View file

@ -1,14 +1,20 @@
const express = require('express');
const router = express.Router();
const { getConvosByPage, deleteConvos } = require('~/models/Conversation');
const requireJwtAuth = require('~/server/middleware/requireJwtAuth');
const { getConvo, saveConvo } = require('~/models');
const { logger } = require('~/config');
const router = express.Router();
router.use(requireJwtAuth);
router.get('/', async (req, res) => {
const pageNumber = req.query.pageNumber || 1;
let pageNumber = req.query.pageNumber || 1;
pageNumber = parseInt(pageNumber, 10);
if (isNaN(pageNumber) || pageNumber < 1) {
return res.status(400).json({ error: 'Invalid page number' });
}
res.status(200).send(await getConvosByPage(req.user.id, pageNumber));
});
@ -17,7 +23,7 @@ router.get('/:conversationId', async (req, res) => {
const convo = await getConvo(req.user.id, conversationId);
if (convo) {
res.status(200).send(convo);
res.status(200).json(convo);
} else {
res.status(404).end();
}
@ -39,10 +45,10 @@ router.post('/clear', async (req, res) => {
try {
const dbResponse = await deleteConvos(req.user.id, filter);
res.status(201).send(dbResponse);
res.status(201).json(dbResponse);
} catch (error) {
logger.error('Error clearing conversations', error);
res.status(500).send(error);
res.status(500).send('Error clearing conversations');
}
});
@ -51,10 +57,10 @@ router.post('/update', async (req, res) => {
try {
const dbResponse = await saveConvo(req.user.id, update);
res.status(201).send(dbResponse);
res.status(201).json(dbResponse);
} catch (error) {
logger.error('Error updating conversation', error);
res.status(500).send(error);
res.status(500).send('Error updating conversation');
}
});