yusiboyz/platform
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(gateway,inventory): trust model hardening (#5)
Some checks failed
Security Checks / dependency-audit (push) Has been cancelled
Details
Security Checks / secret-scanning (push) Has been cancelled
Details
Security Checks / dockerfile-lint (push) Has been cancelled
Details

Browse Source 
- Renamed SERVICE_LEVEL_AUTH to GATEWAY_KEY_SERVICES (clarifies intent)
- Removed /debug-nocodb endpoint from inventory (exposed full table dump)
- Hardened NocoDB search filter construction: strip (), ~, , chars to prevent
  filter injection. Reject queries under 2 chars.

Files: gateway/dashboard.py, services/inventory/server.js
This commit is contained in:
Yusuf Suleman
2026-03-29 13:48:18 -05:00
parent 7c05ef14c7
commit 7a7286ac1c
2 changed files with 9 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
gateway/dashboard.py
View File

@@ -187,7 +187,8 @@ def handle_dashboard(handler, user):
apps = conn.execute("SELECT * FROM apps WHERE enabled = 1 ORDER BY sort_order").fetchall()
conn.close()
SERVICE_LEVEL_AUTH = {"inventory", "reader", "books", "music", "budget"}
# Services that use gateway-injected API keys (not per-user tokens)
GATEWAY_KEY_SERVICES = {"inventory", "reader", "books", "music", "budget"}
widgets = []
futures = {}
@@ -289,9 +290,9 @@ def handle_dashboard(handler, user):
for app in apps:
app = dict(app)
svc_token = get_service_token(user["id"], app["id"])
is_service_level = app["id"] in SERVICE_LEVEL_AUTH
uses_gateway_key = app["id"] in GATEWAY_KEY_SERVICES
if not svc_token and not is_service_level:
if not svc_token and not uses_gateway_key:
widgets.append({"app": app["id"], "name": app["name"], "widget": app["dashboard_widget"], "connected": False, "data": None})
continue