Skip to content

refactor: improve path resolution safety and configuration robustness#1142

Open
RinZ27 wants to merge 1 commit into
ItzCrazyKns:masterfrom
RinZ27:refactor/robustness-and-security-hardening
Open

refactor: improve path resolution safety and configuration robustness#1142
RinZ27 wants to merge 1 commit into
ItzCrazyKns:masterfrom
RinZ27:refactor/robustness-and-security-hardening

Conversation

@RinZ27

@RinZ27 RinZ27 commented May 28, 2026

Copy link
Copy Markdown

Strengthening the project's robustness by addressing identified path resolution and configuration vulnerabilities. These changes focus on practical security improvements and architectural stability.

Key Modifications:

  • Path Handling: Switched to using path.basename in file utilities to eliminate potential path traversal risks when looking up file IDs.
  • Configuration Security: Implemented a protective guard in the ConfigManager to block illegal property overrides (e.g., __proto__), preventing prototype pollution during configuration updates.
  • Container Hardening: Updated the Dockerfile to switch from root to a dedicated vane user, adhering to the principle of least privilege for production deployments.

Everything has been verified against the current codebase structure. No existing functionality is impacted by these surgical safety enhancements.


Summary by cubic

Strengthens path handling, config updates, and container runtime to reduce traversal and prototype pollution risks and run without root. No functional changes; safer defaults only.

  • Refactors
    • Use path.basename when resolving uploaded file IDs to prevent path traversal.
    • Harden ConfigManager by rejecting __proto__, constructor, and prototype keys at any depth to stop prototype pollution.
    • Run the Docker image as non-root user vane; set ownership for /home/vane and /usr/local/searxng and set USER vane.

Written for commit ea6dc03. Summary will update on new commits.

Review in cubic

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 3 files

Reply with feedback, questions, or to request a fix.

Re-trigger cubic

Comment thread src/lib/config/index.ts Outdated
@RinZ27
RinZ27 force-pushed the refactor/robustness-and-security-hardening branch from 4c0a004 to ea6dc03 Compare May 28, 2026 13:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant