michael/merlyn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
f2030343d7
merlyn/server/endpoints
History
Timothy Carambat f2030343d7 Fix potential IDOR vulnerability in workspace parsed files endpoints 
Add ownership validation to prevent users from deleting or embedding
parsed files that don't belong to them. Previously, the delete and
embed endpoints only validated authentication but not resource ownership,
allowing users to delete attached files for users within workspaces they are also a member of.

Changes:
- Delete endpoint now filters by userId and workspaceId
- Embed endpoint validates file belongs to user and workspace (redundant)
- delete() returns false when no matching records found (returns 403)
- Added JSDoc comments for clarity
GHSA-p5rf-8p88-979c
2026-03-13 15:22:07 -07:00
..
api linting & show descriptive error for bad addtoWorkspace request body 2026-03-09 11:30:53 -07:00
embed Fix prompt, model, and temperature overrides in embed chat widget (#4036) 2025-06-24 14:23:02 -07:00
experimental Remove fine-tuning flow (#2872) 2024-12-18 10:24:02 -08:00
extensions Paperless ngx data connector (#4121) 2025-11-20 11:27:38 -08:00
mobile Mobile sync support (#4173) 2025-07-31 12:28:03 -07:00
utils Lemonade integration (#5077) 2026-02-27 11:02:38 -08:00
admin.js Enforce user suspension check on browser extension API key path 2026-03-13 10:05:05 -07:00
agentFlows.js Implement importing of agent flows from community hub (#3867) 2025-06-05 15:08:58 -07:00
agentWebsocket.js Add LMStudio agent support (generic) support (#1246) 2024-05-07 16:35:47 -07:00
browserExtension.js AnythingLLM Chrome Extension (#2066) 2024-08-27 14:58:47 -07:00
chat.js fix: validate chat message input (#4811) 2026-01-08 17:00:15 -08:00
communityHub.js Publish system prompts to hub (#3976) 2025-06-16 09:59:38 -07:00
document.js Patch path traversal in move-files that can be used by administrator level attacker only 2024-08-27 16:19:12 -07:00
embedManagement.js Enable the ability to disable the chat history UI (#2501) 2024-10-21 13:19:19 -07:00
invite.js fix: unhelpful error message for invite link user creation (#4621) 2025-11-19 13:37:37 -08:00
mcpServers.js ModelContextProtocol (MCP) Full Compatibility (#3547) 2025-03-31 16:15:19 -05:00
system.js Remove WelcomeMessages from app - no longer used (#5206) 2026-03-13 12:55:59 -07:00
utils.js Fix: Azure OpenAI model key collision (#5092) 2026-03-05 17:12:08 -08:00
webPush.js Web push notifications (#4942) 2026-02-02 10:56:58 -08:00
workspaces.js Implement v2 chat layout designs (#5074) 2026-03-10 12:50:19 -07:00
workspacesParsedFiles.js Fix potential IDOR vulnerability in workspace parsed files endpoints 2026-03-13 15:22:07 -07:00
workspaceThreads.js Implement v2 chat layout designs (#5074) 2026-03-10 12:50:19 -07:00