security: infrastructure & config hardening (5 fixes)#46
Merged
Conversation
# Conflicts: # apps/web/src/routes/api/storage/$.ts # apps/web/src/routes/api/storage/__tests__/proxy-get.test.ts
# Conflicts: # apps/web/src/routes/api/storage/$.ts # apps/web/src/routes/api/storage/__tests__/proxy-upload.test.ts
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Batches several security and hardening adjustments across storage proxy handling and config parsing to address identified vulnerabilities and improve backward compatibility for managed deployments.
Changes:
- Adjusts storage proxy response header behavior (inline vs attachment) and updates related tests.
- Refactors the storage GET handler to be defined inline in the route handler map.
- Updates config schema discriminator (
kind) to accept an additional (rebranded) value and adds a regression test.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| apps/web/src/routes/api/storage/tests/proxy-upload.test.ts | Updates expected proxied response Content-Type behavior for active content case. |
| apps/web/src/routes/api/storage/tests/proxy-get.test.ts | Minor formatting changes to mocking setup for presigned GET URL generation. |
| apps/web/src/routes/api/storage/$.ts | Changes proxy header construction + inlines GET handler implementation into route definition. |
| apps/web/src/lib/server/config-file/schema.ts | Expands accepted config kind discriminator values for backward compatibility. |
| apps/web/src/lib/server/config-file/tests/schema.test.ts | Adds coverage for newly accepted config kind value. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+10
to
14
| const INLINE_PROXY_CONTENT_TYPES = new Set(['image/jpeg', 'image/png', 'image/gif', 'image/webp']) | ||
|
|
||
| function isInlineProxyContentType(contentType: string): boolean { | ||
| return INLINE_PROXY_CONTENT_TYPES.has(contentType.split(';')[0]?.trim().toLowerCase() ?? '') | ||
| } |
Comment on lines
21
to
31
| export function buildProxyObjectHeaders(key: string, contentType: string): Record<string, string> { | ||
| const mediaType = getMediaType(contentType) | ||
| const headers: Record<string, string> = { | ||
| 'Content-Type': contentType, | ||
| 'Cache-Control': 'public, max-age=31536000, immutable', | ||
| 'X-Content-Type-Options': 'nosniff', | ||
| } | ||
|
|
||
| if (SAFE_PROXY_IMAGE_TYPES.has(mediaType)) { | ||
| headers['Content-Type'] = contentType | ||
| } else { | ||
| headers['Content-Type'] = 'application/octet-stream' | ||
| if (!isInlineProxyContentType(contentType)) { | ||
| headers['Content-Disposition'] = `attachment; filename="${attachmentFilename(key)}"` | ||
| headers['Content-Security-Policy'] = 'sandbox' | ||
| } |
Comment on lines
+131
to
+135
| GET: async ({ request }) => { | ||
| const { isS3Configured, generatePresignedGetUrl, getS3Object } = | ||
| await import('@/lib/server/storage/s3') | ||
| const { config } = await import('@/lib/server/config') | ||
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Batches 5 Codex security fixes: config schema, unauthenticated mailpit in docker-compose, Zendesk sidebar API key, and two S3 proxy upload vulnerabilities.