mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

fix(SEC-REVIEW-4-7): Address remaining MEDIUM security review findings
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details

Browse Source 
- Graceful container shutdown: detect "not running" containers and skip
  force-remove escalation, only SIGKILL for genuine stop failures
- data: URI stripping: add security audit logging via NestJS Logger
  when data: URIs are blocked in markdown links and images
- Orchestrator bootstrap: replace void bootstrap() with .catch() handler
  for clear startup failure logging and clean process.exit(1)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jason Woltje
2026-02-06 14:51:22 -06:00
parent 2bb1dffe97
commit 92c310333c
4 changed files with 32 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
apps/api/src/knowledge/utils/markdown.ts
View File

@@ -124,6 +124,7 @@ const SANITIZE_OPTIONS: sanitizeHtml.IOptions = {
const href = attribs.href;
// Strip data: URI scheme from links
if (href?.trim().toLowerCase().startsWith("data:")) {
logger.warn(`Blocked data: URI in link href`);
const { href: _removed, ...safeAttribs } = attribs;
return {
tagName,
@@ -149,6 +150,7 @@ const SANITIZE_OPTIONS: sanitizeHtml.IOptions = {
img: (tagName: string, attribs: sanitizeHtml.Attributes) => {
const src = attribs.src;
if (src?.trim().toLowerCase().startsWith("data:")) {
logger.warn(`Blocked data: URI in image src`);
const { src: _removed, ...safeAttribs } = attribs;
return {
tagName,