This repository was archived by the owner on Nov 4, 2025. It is now read-only.
upstream#2
Open
chad-jones wants to merge 824 commits into
Open
Conversation
Replace plain == comparisons with crypto/subtle.ConstantTimeCompare for upload token (X-UploadToken header) and API token verification. Prevents theoretical timing attacks on token values.
Wrap /clients/, /changelog/, and webapp root FileServer handlers with NoDirListing to return 404 for directory requests instead of generating listings. Root '/' is allowed through for SPA index.html.
Session and XSRF cookies now get the Secure flag when either EnhancedWebSecurity or SslEnabled is true, ensuring cookies are never sent over plain HTTP when TLS is configured.
Add Strict-Transport-Security middleware (max-age=31536000, 1 year) applied when SslEnabled or EnhancedWebSecurity is true. Tells browsers to always use HTTPS for this domain. Updated security docs.
Replace MD5 with bcrypt(sha256(base64(login:password))) for upload password storage. SHA-256 pre-hash removes bcrypt's 72-byte input limit. - Add common.HashUploadPassword and common.CheckUploadPassword helpers - Validate login and password length (max 128 characters each) - Legacy MD5 hashes are still accepted for old uploads until they expire - Add tests for bcrypt path, legacy MD5 path, and length validation - Document password hashing scheme and limits in docs/guide/security.md
- Document SECU-20: removable uploads are deletable by anyone by design - Document SECU-02: bcrypt(sha256) password hashing with 128-char limits - Document legacy MD5 compatibility for uploads created before 1.4
fix(server): security hardening — SECU audit batch 1
Replace gen.pl with gen.go using text/template for idiomatic Go code generation. Move hand-written GetAuthenticatorSafe() from generated context.go to admin.go. Add TestGenContextUpToDate to catch gen.go / context.go drift in CI.
refactor(context): rewrite context code generator from Perl to Go
Make the active tab and filter state in HomeView and AdminView URL-addressable via query parameters (?tab=, &user=, &sort=, &order=, &provider=, &admin=) to enable bookmarking, sharing, and browser back/forward navigation. Token filter values are intentionally excluded from URLs for security (they contain raw API tokens that would leak in browser history and Referer headers). - HomeView: ?tab=stats|uploads|tokens - AdminView: ?tab=stats|users|uploads with filter/sort params - Views use router.replace() + watch(route.query) for sync - lastRouteQuery dedup prevents double API calls - 8 new E2E tests for URL-based tab navigation - ARCHITECTURE.md updated with query param documentation
…sidebar Extract shared UploadBadges component showing one-shot, removable, stream, extend TTL, password, and e2e encryption badges on upload cards (Home/Admin views) and the download sidebar. - New UploadBadges.vue with size prop (sm for cards, md for sidebar) - DRY: replaces inline badges in DownloadSidebar.vue and UploadCard.vue - Color scheme: warning (one-shot), danger (removable), accent (stream/e2e), emerald (extend TTL), surface (password)
Add server-side filtering for upload badge settings (oneShot, removable, stream, extendTTL, password, e2ee) via query parameters on both /uploads (admin) and /me/uploads (user) endpoints. Backend: - Replace positional (userID, tokenStr) args with UploadFilters struct - Add applyUploadFilters() with explicit WHERE clauses (GORM ignores zero-value bools in struct conditions) - Add parseBoolFilter() helper for *bool query param parsing - Fix GetUploadsSortedBySize: INNER JOIN → LEFT JOIN + COALESCE so uploads without files appear with size 0 instead of being excluded Frontend: - Add badge filter toggle buttons in Admin and Home upload views - Full URL persistence: filters sync to query params, restored on mount, tab switch, and back/forward navigation - Use router.push() for filter toggles to enable browser history - Explicit === true checks for badge filter API params Tests: - Add TestBackend_GetUploadsSortedBySize_EmptyUploads (Go) - Add badge-filters.spec.js with 10 E2E tests covering filter visibility, matching, URL persistence, and back/forward navigation - Update existing tests to use UploadFilters struct Docs: - Update ARCHITECTURE.md with new filter query params - Update AGENTS.md with UploadFilters reference
Extract Docker build+push into a reusable workflow and call it from both docker-build-pr and docker-deploy-pr. The deploy workflow now checks if the image exists on Docker Hub before building, so a single "docker deploy" comment handles everything. - Add docker-build-reusable.yaml with workflow_call trigger - Refactor docker-build-pr to call the reusable workflow - Refactor docker-deploy-pr: check image, build if needed, deploy - Use exact match (trim) instead of contains for comment triggers - Guard deploy and notify jobs against permission failures
…ponent - Backend: extract parseBadgeFilters() helper in misc.go (DRY admin.go & me.go) - Backend: add sort=size and CountUploads to /me/uploads endpoint - Frontend: create shared UploadControls.vue (sort/order/badge filters) - Frontend: integrate UploadControls in AdminView and HomeView - Frontend: add sort state, URL persistence, and API sort param to HomeView - Tests: add E2E tests for sort controls and direct URL filter restoration - Docs: update ARCHITECTURE.md and AGENTS.md
ci(docker): chain build into deploy workflow
…gers GitHub Actions expressions don't have a trim() function. Use direct == comparison for exact match on comment body.
Without await, the github-script step exits before the promise resolves and the rocket emoji reaction is never created.
- webapp: getFileURL() returns /stream/ URLs when upload.stream is set - server: skip Content-Length for streaming downloads (size is stale for E2EE because encrypted blob > original file size) - e2e: add stream-e2ee.spec.js with full roundtrip test
Remove the image existence check from docker-deploy-pr. The image tag is pr-<number> which doesn't change between force-pushes, so a cached image could be stale. Always rebuild to ensure the deployed image matches the latest commit. Also add missing await to createComment calls in notify job.
feat(webapp): path-based tab routing, upload badges, badge filters, and sort-by-size
Bumps [lodash-es](https://github.com/lodash/lodash) to 4.17.23 and updates ancestor dependency [mermaid](https://github.com/mermaid-js/mermaid). These dependencies need to be updated together. Updates `lodash-es` from 4.17.21 to 4.17.23 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.17.23) Updates `mermaid` from 11.12.2 to 11.12.3 - [Release notes](https://github.com/mermaid-js/mermaid/releases) - [Commits](https://github.com/mermaid-js/mermaid/compare/mermaid@11.12.2...mermaid@11.12.3) --- updated-dependencies: - dependency-name: lodash-es dependency-version: 4.17.23 dependency-type: indirect - dependency-name: mermaid dependency-version: 11.12.3 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>
feat(webapp): two-row FileRow layout for mobile
- golang.org/x/net v0.50.0 → v0.52.0 (fixes GO-2026-4559 HTTP/2 panic CVE) - golang.org/x/crypto v0.48.0 → v0.49.0 - cloud.google.com/go/storage v1.60.0 → v1.61.3 - google.golang.org/api v0.269.0 → v0.273.0 - Transitive bumps: x/sys, x/text, x/sync, x/term, x/time, otel v1.42.0, gax-go v2.19.0
- tailwindcss + @tailwindcss/vite 4.1.18 → 4.2.2 - vue 3.5.28 → 3.5.31 - vue-router 4.6.4 → 5.0.4 (no breaking changes for standard usage) - vite 7.3.1 → 8.0.3 (Rolldown bundler, no config changes needed) - jsdom 28.1.0 → 29.0.1 - vitest 4.0.18 → 4.1.2 - @vue/test-utils 2.2.7 → 2.4.6 - @vitejs/plugin-vue 6.0.4 → 6.0.5 - dompurify 3.3.2 → 3.3.3 - marked 17.0.1 → 17.0.5
- actions/checkout v5 → v6 - actions/setup-go v5 → v6 - actions/upload-artifact v6 → v7 - actions/github-script v7 → v8 - azure/setup-helm v4 → v5
- Update README Quick Start links to 1.4.2 - Add changelog/1.4.2 - Promote [Unreleased] to [1.4.2] in Helm chart CHANGELOG - Add step 2.5 to cut-release workflow (frontend dependency audit)
chore(release): prepare Plik 1.4.2
…ding FeatureAuthentication=enabled too
Response.text() always decodes as UTF-8 per the Fetch spec, which garbles files whose Content-Type includes a non-UTF-8 charset (e.g. text/plain; charset=utf-16be). Fix: fetch the raw bytes via arrayBuffer() and decode with TextDecoder using the charset extracted from the Content-Type response header, falling back to utf-8 when absent. Extract the charset-parsing regex into a standalone charsetFromContentType() helper in utils.js so it can be unit-tested independently. Add 11 unit tests covering UTF-16BE, UTF-16LE, ISO-8859-1, Windows-1252, case-insensitivity, extra params, and null/empty inputs. Update webapp/ARCHITECTURE.md with a new "Charset-Aware Text Decoding" section.
fix(webapp): charset-aware decoding in the file viewer
Bumps [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose) from 4.1.3 to 4.1.4. - [Release notes](https://github.com/go-jose/go-jose/releases) - [Commits](go-jose/go-jose@v4.1.3...v4.1.4) --- updated-dependencies: - dependency-name: github.com/go-jose/go-jose/v4 dependency-version: 4.1.4 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Add RFC 7636 PKCE S256 support to all three OAuth2 login flows (OIDC, Google, GitHub). The implementation is always-on and stateless: a code_verifier is generated in each Login handler, embedded in the signed JWT state, and extracted in the Callback handler to pass to conf.Exchange. No configuration changes are required. Keycloak's PKCE enforcement is enabled in the e2e test suite (pkce.code.challenge.method=S256) so that the existing TestOIDCLoginBrowser test validates the full flow end-to-end. A dedicated negative test (TestOIDCLoginBrowserPKCEEnforced) verifies that Keycloak rejects an exchange that omits the code_verifier (real code + forged stateless JWT), proving the enforcement setting is active.
feat(auth): implement PKCE S256 for all OAuth providers (closes #730)
…/go-jose/go-jose/v4-4.1.4 chore(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4
Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 8.0.3 to 8.0.5. - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v8.0.5/packages/vite) --- updated-dependencies: - dependency-name: vite dependency-version: 8.0.5 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>
When an upload is protected with HTTP basic authentication, the login and password were only visible in the upload sidebar — navigating to the download view caused them to be lost, as the server intentionally strips credentials from API responses (upload.Sanitize()). This change carries the raw credentials through the in-memory pendingUploadStore (alongside the existing passphrase and basicAuth header) and displays them in a transient "Credentials" section in DownloadSidebar's share card, following the same pattern used for E2EE passphrases. They are ephemeral by design: they only appear in the uploader's browser tab immediately after upload. A pre-upload validation guard is also added: if the password toggle is enabled but either field is blank, the upload is blocked with a clear error message before calling the API. Changes: - pendingUploadStore: carry login/password alongside basicAuth - UploadView: validate credentials before upload; pass raw values to store - DownloadView: extract credentials from pending store, pass to sidebar - DownloadSidebar: new "Credentials" section with copy buttons - i18n: add credentials/login/password/passwordCredentialsIncomplete keys to all 13 locale files - Tests: unit test for store, 4 new e2e tests (toggle reveal, validation blocking, share card display, visitor cannot see credentials) - ARCHITECTURE.md: document pending store signature and transient display
Bumps [go.opentelemetry.io/otel/sdk](https://github.com/open-telemetry/opentelemetry-go) from 1.42.0 to 1.43.0. - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.42.0...v1.43.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel/sdk dependency-version: 1.43.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
feat(webapp): display basic auth credentials in share card after upload
…emetry.io/otel/sdk-1.43.0 chore(deps): bump go.opentelemetry.io/otel/sdk from 1.42.0 to 1.43.0
…ite-8.0.5 chore(deps-dev): bump vite from 8.0.3 to 8.0.5 in /webapp
Restructures all 9 setting rows in UploadSidebar to use a flat flexbox layout: [svg] [text flex-1] [toggle] [?] — instead of the previous nested structure where the help icon was inline within the text span. The tooltip is now right-aligned (anchored at the ? icon's right edge) to prevent overflow clipping now that the anchor sits at the sidebar's far right. A left-anchor variant is provided for the Expiration section header, where the ? is not at the far right. Vertical alignment is fixed by making .setting-help-wrap a flex container (display: flex; align-items: center), eliminating line-height-induced offsets without needing any mt-* hacks. An expirationHelp tooltip is also added to the EXPIRATION section heading, with translations in all 12 supported locales. Closes #736
…ment fix(webapp): move ? tooltips after toggle switches in UploadSidebar
Bumps [dompurify](https://github.com/cure53/DOMPurify) from 3.3.2 to 3.4.1. - [Release notes](https://github.com/cure53/DOMPurify/releases) - [Commits](cure53/DOMPurify@3.3.2...3.4.1) --- updated-dependencies: - dependency-name: dompurify dependency-version: 3.4.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [dompurify](https://github.com/cure53/DOMPurify) from 3.3.3 to 3.4.1. - [Release notes](https://github.com/cure53/DOMPurify/releases) - [Commits](cure53/DOMPurify@3.3.3...3.4.1) --- updated-dependencies: - dependency-name: dompurify dependency-version: 3.4.1 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github.com/jackc/pgx/v5](https://github.com/jackc/pgx) from 5.6.0 to 5.9.2. - [Changelog](https://github.com/jackc/pgx/blob/master/CHANGELOG.md) - [Commits](jackc/pgx@v5.6.0...v5.9.2) --- updated-dependencies: - dependency-name: github.com/jackc/pgx/v5 dependency-version: 5.9.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
…/jackc/pgx/v5-5.9.2 chore(deps): bump github.com/jackc/pgx/v5 from 5.6.0 to 5.9.2
…ompurify-3.4.1 chore(deps): bump dompurify from 3.3.3 to 3.4.1 in /webapp
…purify-3.4.1 chore(deps): bump dompurify from 3.3.2 to 3.4.1 in /docs
fix(helm): add missing serviceaccount.yaml template
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.