Skip to content

Fix security issues#762

Merged
leszko merged 2 commits intomainfrom
rafal/security-fixes
Mar 30, 2026
Merged

Fix security issues#762
leszko merged 2 commits intomainfrom
rafal/security-fixes

Conversation

@leszko
Copy link
Copy Markdown
Collaborator

@leszko leszko commented Mar 30, 2026

No description provided.

leszko and others added 2 commits March 30, 2026 09:50
@leszko @claude
fix: prevent path traversal in frontend serving, asset upload, and Lo…
b7e0bde 
…RA install

Resolve user-supplied paths and verify they stay within their intended
base directories using resolve() + is_relative_to() checks. Closes #756
(path traversal items).

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Signed-off-by: Rafał Leszko <[email protected]>
@leszko @claude
fix: default bind host to 127.0.0.1 for local-only access
1ae02e5 
Reduces exposure on shared/LAN/cloud environments. Dockerfiles and cloud
apps already pass --host 0.0.0.0 explicitly so they are unaffected.
Refs #756.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Signed-off-by: Rafał Leszko <[email protected]>
@leszko leszko marked this pull request as ready for review March 30, 2026 08:16
@coderabbitai
Copy link
Copy Markdown

coderabbitai bot commented Mar 30, 2026
edited
Loading

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6aab1c80-6e7b-434b-9173-79643980da36

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch rafal/security-fixes

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 30, 2026

🚀 fal.ai Preview Deployment
App ID daydream/scope-pr-762--preview
WebSocket wss://fal.run/daydream/scope-pr-762--preview/ws
Commit 1ae02e5

Livepeer Runner
App ID daydream/scope-livepeer-pr-762--preview
WebSocket wss://fal.run/daydream/scope-livepeer-pr-762--preview/ws
Auth private

Testing

Connect to this preview deployment by running this on your branch:

uv run build && SCOPE_CLOUD_APP_ID="daydream/scope-pr-762--preview/ws" uv run daydream-scope

Livepeer mode:

SCOPE_CLOUD_MODE=livepeer SCOPE_CLOUD_APP_ID="daydream/scope-livepeer-pr-762--preview/ws" uv run daydream-scope

🧪 E2E tests will run automatically against this deployment.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 30, 2026

✅ E2E Tests passed
Status passed
fal App daydream/scope-pr-762--preview
Run View logs

Test Artifacts

Check the workflow run for screenshots.

@leszko leszko merged commit 08e1673 into main Mar 30, 2026
10 checks passed
@leszko leszko mentioned this pull request Mar 30, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@leszko