security: fix critical auth gaps, SSRF, IDOR, and embedding error handling
Some checks failed
Deploy to Production / Build and Deploy (push) Failing after 39s

CRITICAL:
- Add auth + admin check to 10 unprotected API routes (test-*, debug/*,
  config, models, fix-labels)
- Add CRON_SECRET bearer auth to /api/cron/reminders (was fully open)
- Add SSRF protection to getOllamaModels (blocks private/internal IPs)

HIGH:
- Fix getAllLabels() missing userId filter (leaked all users' labels)
- Fix /api/labels OR clause leaking other users' labels
- Fix IDOR in toggleAgent/getAgentActions (add ownership check)
- Fix getEmbeddings() returning [] on error in all 5 providers (corrupted
  semantic search with NaN cosine similarity) — now throws instead

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
2026-04-30 21:02:13 +02:00
parent 0a900b3582
commit fa72672aac
20 changed files with 138 additions and 14 deletions

View File

@@ -64,7 +64,7 @@ export class CustomOpenAIProvider implements AIProvider {
return embedding;
} catch (e) {
console.error('Error generating embeddings (Custom OpenAI):', e);
return [];
throw e;
}
}

View File

@@ -48,7 +48,7 @@ export class DeepSeekProvider implements AIProvider {
return embedding;
} catch (e) {
console.error('Error generating embeddings (DeepSeek):', e);
return [];
throw e;
}
}

View File

@@ -105,7 +105,7 @@ Note content: "${content}"`;
return data.embedding;
} catch (e) {
console.error('Error generating embeddings (Ollama):', e);
return [];
throw e;
}
}

View File

@@ -48,7 +48,7 @@ export class OpenAIProvider implements AIProvider {
return embedding;
} catch (e) {
console.error('Error generating embeddings (OpenAI):', e);
return [];
throw e;
}
}

View File

@@ -48,7 +48,7 @@ export class OpenRouterProvider implements AIProvider {
return embedding;
} catch (e) {
console.error('Error generating embeddings (OpenRouter):', e);
return [];
throw e;
}
}