• Stefy Lanza (nextime / spora )'s avatar
    admin: sanitize model-upload paths + atomic auth.json read-modify-write · f97459fc
    Stefy Lanza (nextime / spora ) authored
    The model-upload endpoint joined a client-supplied filename straight onto
    the cache dir, so an admin-authenticated request with a traversal filename
    (or upload_id) could write outside it. Reduce both to a safe basename,
    reject separators/.., and add a commonpath containment check before
    committing the upload.
    
    SessionManager only locked the write half of each load->mutate->save, so
    concurrent writers could clobber each other's changes (lost sessions or
    tokens). Add update_auth_data(mutator), which holds the lock across the
    whole read-modify-write and persists only when the mutator asks to; route
    every mutating method (and the token create/delete endpoints) through it.
    Read-only callers keep the lock-free load since writes are atomic via
    os.replace. While migrating the token endpoints, switch IDs to max+1 (no
    reuse after deletion) and to timezone-aware timestamps.
    Co-Authored-By: 's avatarClaude Opus 4.8 <noreply@anthropic.com>
    f97459fc
auth.py 14.8 KB