mirror of
https://github.com/HolgerHatGarKeineNode/einundzwanzig-app.git
synced 2026-05-05 04:54:53 +00:00
Claude
d46c0161fe
- Trust the Forge reverse proxy and force https URLs in production so generated absolute URLs match the actual TLS termination. - Reject Nostr profile photo URLs that aren't http(s) or that resolve to loopback / private (RFC1918) addresses to close an SSRF vector in FetchNostrProfileJob. - Tighten image upload validation across meetup, course, and lecturer create/edit components: explicit mimes whitelist (jpeg, png, webp), max 5 MiB, and dimension cap of 4000x4000. - Replace the silent "skip if exists" branch in LnurlAuthController with updateOrCreate so concurrent callers cannot race on the k1 record. - Validate github_data on Meetup edit, decoding the JSON, and keep only the whitelisted keys (top, left, state) with strict type coercion to prevent storing arbitrary attacker-controlled JSON.