fix: address code review findings

- validate chat image attachments server-side: only files inside the
  ~/.cloudcli/assets upload store may reach provider file reads
- harden asset serving with nosniff and attachment disposition for
  SVGs to prevent stored XSS
- show the timestamp on image-only user messages
- serialize git stage/unstage calls and defer the status re-sync so
  rapid toggles can't interleave or flicker
- use a literal hex fallback for commit ref badges (alpha suffix on a
  var() string produced invalid CSS)
- stop binding a URL session to a guening
  project instead
- add the missing attentionRequiredIndicator key to all sidebar locales
- clean up dangling conjunctions left the
  de/ru/tr/ja/zh-CN/zh-TW READMEs
This commit is contained in:
Haileyesus
2026-07-06 21:08:22 +03:00
parent 4e423f5fa2
commit 138371525a
23 changed files with 197 additions and 70 deletions

View File

@@ -79,7 +79,17 @@ router.get('/images/:filename', async (req, res) => {
return res.status(404).json({ error: 'Asset not found' });
}
res.setHeader('Content-Type', mime.lookup(resolved) || 'application/octet-stream');
const contentType = mime.lookup(resolved) || 'application/octet-stream';
res.setHeader('Content-Type', contentType);
// Stored-XSS hardening: never let the browser sniff a different type, and
// force SVGs (which can carry scripts when rendered as a document) to
// download instead of rendering inline. The chat UI is unaffected — it
// fetches assets as blobs and shows them through <img>, where SVG scripts
// never execute.
res.setHeader('X-Content-Type-Options', 'nosniff');
if (contentType === 'image/svg+xml') {
res.setHeader('Content-Disposition', 'attachment');
}
const fileStream = fsSync.createReadStream(resolved);
fileStream.pipe(res);
fileStream.on('error', (error) => {