security: fix critical auth gaps, SSRF, IDOR, and embedding error handling
Some checks failed
Deploy to Production / Build and Deploy (push) Failing after 39s
Some checks failed
Deploy to Production / Build and Deploy (push) Failing after 39s
CRITICAL: - Add auth + admin check to 10 unprotected API routes (test-*, debug/*, config, models, fix-labels) - Add CRON_SECRET bearer auth to /api/cron/reminders (was fully open) - Add SSRF protection to getOllamaModels (blocks private/internal IPs) HIGH: - Fix getAllLabels() missing userId filter (leaked all users' labels) - Fix /api/labels OR clause leaking other users' labels - Fix IDOR in toggleAgent/getAgentActions (add ownership check) - Fix getEmbeddings() returning [] on error in all 5 providers (corrupted semantic search with NaN cosine similarity) — now throws instead Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
@@ -25,11 +25,8 @@ export async function GET(request: NextRequest) {
|
||||
// Get labels for a specific notebook
|
||||
where.notebookId = notebookId
|
||||
} else {
|
||||
// Get all labels for the user (both old and new system)
|
||||
where.OR = [
|
||||
{ notebookId: { not: null } },
|
||||
{ userId: session.user.id }
|
||||
]
|
||||
// Get all labels for the user
|
||||
where.userId = session.user.id
|
||||
}
|
||||
|
||||
const labels = await prisma.label.findMany({
|
||||
|
||||
Reference in New Issue
Block a user