peregrine/web
pyr0ball 3cdd14c345 fix(security): CVE mitigations — path traversal, SSRF, dep upgrades, npm audit
Path traversal (cloud middleware):
- Add _VALID_USER_ID_RE UUID regex; reject non-UUID user_id before
  constructing db path from CLOUD_DATA_ROOT / user_id / ...
- Non-UUID values log a warning and fall through to unauthenticated path

SSRF (test_email IMAP endpoint):
- Add _is_ssrf_host() using ipaddress + socket.gethostbyname()
- Checks resolved IP against RFC-1918, loopback, and link-local ranges
- Fails closed on DNS resolution errors (returns True = blocked)

Dependency security pins in environment.yml (transitive CVEs):
- starlette>=1.0.1 (PYSEC-2026-161), python-multipart>=0.0.27 (CVE-2026-40347),
  aiohttp>=3.14.0, tornado>=6.5.5, cryptography>=46.0.7, langsmith>=0.8.0,
  gitpython>=3.1.50, lxml>=6.1.0, idna>=3.15, markdownify>=0.14.1
- Direct dep upgrades: requests>=2.33.0, pypdf>=6.12.0, python-dotenv>=1.2.2,
  PyJWT>=2.13.0, curl_cffi>=0.15.0

npm audit (web/package-lock.json):
- Resolved 7 of 9 CVEs; 2 remaining esbuild CVEs require vite 8 upgrade
  (tracked as issue #123 — breaking change, deferred)
2026-06-14 12:16:00 -07:00
..
public feat(web): add task indicator component and task store for background jobs 2026-04-01 07:09:55 -07:00
src fix: dark mode CSS token gaps, interview score display, undefined CSS vars 2026-05-18 13:37:08 -07:00
.gitignore feat(web): merge Vue SPA from feature/vue-spa; add ClassicUIButton + useFeatureFlag 2026-03-22 18:46:11 -07:00
index.html docs: document Gotcha #14 (body over html), retake screenshots for light theme 2026-05-08 15:49:47 -07:00
package-lock.json fix(security): CVE mitigations — path traversal, SSRF, dep upgrades, npm audit 2026-06-14 12:16:00 -07:00
package.json feat: Interview prep Q&A, cf-orch hardware profile, a11y fixes, dark theme 2026-04-14 17:01:18 -07:00
tsconfig.app.json feat(web): merge Vue SPA from feature/vue-spa; add ClassicUIButton + useFeatureFlag 2026-03-22 18:46:11 -07:00
tsconfig.json feat(web): merge Vue SPA from feature/vue-spa; add ClassicUIButton + useFeatureFlag 2026-03-22 18:46:11 -07:00
tsconfig.node.json feat(web): merge Vue SPA from feature/vue-spa; add ClassicUIButton + useFeatureFlag 2026-03-22 18:46:11 -07:00
uno.config.ts feat(web): merge Vue SPA from feature/vue-spa; add ClassicUIButton + useFeatureFlag 2026-03-22 18:46:11 -07:00
vite.config.ts fix(demo): smoke-test fixes — card reset, toast error type, apply hint, text contrast 2026-04-21 10:14:37 -07:00