apunkt/SurfSense
1
0
Fork 0
mirror of https://github.com/MODSetter/SurfSense.git synced 2026-06-18 21:15:16 +02:00
Code Issues Projects Releases Packages Wiki Activity
SurfSense/surfsense_backend/app
History
Dmitry Maranik e1ea82d7cf fix(connectors): scope index endpoint authorization to the connector's own search space 
The POST /search-source-connectors/{connector_id}/index endpoint loaded
the connector by id and then called check_permission() against the
client-supplied search_space_id query parameter (the caller's own space)
rather than the connector's own search_space_id, and never verified that
the two matched.

A user could therefore index another user's connector by passing their
own search_space_id: the indexer ran with the victim connector's stored
credentials and wrote the fetched content into the attacker's search
space. The read/update/delete handlers already authorize against
connector.search_space_id; this brings the index handler in line.

Reject a connector that does not belong to the requested search space
(404, to avoid disclosing connectors in other spaces) and authorize the
permission check against connector.search_space_id.
2026-06-16 15:58:30 -07:00
..
agents Merge remote-tracking branch 'upstream/dev' into features/documents-injestion-layered-cached 2026-06-14 11:30:33 +02:00
automations feat(database-migrations): add migration to remove legacy model config tables and remove stale model connection code 2026-06-13 12:45:43 +05:30
config refactor(config): update GATEWAY_ENABLED variable to FALSE and adjust related configurations for improved messaging gateway handling 2026-06-16 23:49:26 +05:30
connectors feat(etl-cache): route all file-based sources through the parse cache 2026-06-12 14:47:25 +02:00
etl_pipeline feat(etl-cache): emit hit/miss and eviction metrics 2026-06-12 11:57:03 +02:00
event_bus refactor(event_bus): wire catalog and events into package, rename builtin to events 2026-05-29 22:15:18 +02:00
file_storage chore: linting 2026-06-09 00:42:26 -07:00
gateway refactor(config): update GATEWAY_ENABLED variable to FALSE and adjust related configurations for improved messaging gateway handling 2026-06-16 23:49:26 +05:30
indexing_pipeline Merge remote-tracking branch 'upstream/dev' into features/documents-injestion-layered-cached 2026-06-14 11:30:33 +02:00
notifications feat(refactor): refactor payment system to implement unified credit wallet. 2026-06-10 16:49:03 -07:00
observability feat(observability): add chunk reconcile metric and kill-switch flag 2026-06-12 18:52:57 +02:00
podcasts Merge pull request #1487 from CREDO23/improvement-podcast-graph 2026-06-12 00:58:02 -07:00
prompts feat(database-migrations): add migration to remove legacy model config tables and remove stale model connection code 2026-06-13 12:45:43 +05:30
retriever refactor(chunks): order chunk reads by (document_id, position) 2026-06-12 18:53:21 +02:00
routes fix(connectors): scope index endpoint authorization to the connector's own search space 2026-06-16 15:58:30 -07:00
schemas refactor(model-connections): remove unused fields and update verification logic 2026-06-14 02:46:19 +05:30
services Merge pull request #1491 from AnishSarkar22/feat/unified-model-connections 2026-06-14 17:50:48 -07:00
tasks Merge remote-tracking branch 'upstream/dev' into features/documents-injestion-layered-cached 2026-06-14 11:30:33 +02:00
templates feat: update report generation and export capabilities to support multiple formats (PDF, DOCX, HTML, LaTeX, EPUB, ODT, plain text) across documentation and backend 2026-03-09 18:41:21 -07:00
utils Merge remote-tracking branch 'upstream/dev' into features/documents-injestion-layered-cached 2026-06-14 11:30:33 +02:00
__init__.py feat: SurfSense v0.0.6 init 2025-03-14 18:53:14 -07:00
app.py refactor(model-connections): move backend model connections to provider capabilities 2026-06-12 02:17:22 +05:30
celery_app.py Merge remote-tracking branch 'upstream/dev' into features/documents-injestion-layered-cached 2026-06-14 11:30:33 +02:00
db.py Merge remote-tracking branch 'upstream/dev' into features/documents-injestion-layered-cached 2026-06-14 11:30:33 +02:00
exceptions.py feat: add processing mode support for document uploads and ETL pipeline, improded error handling ux 2026-04-14 21:26:00 -07:00
rate_limiter.py try: ip fix for cludflare 2026-04-16 02:13:52 -07:00
session_events.py refactor: anonymous/free chat experience 2026-05-31 15:58:21 -07:00
users.py Seed default prompts on registration and for existing users 2026-03-31 18:12:09 +02:00
zero_publication.py feat(migration): evolve podcast lifecycle by detaching from zero_publication and updating column handling 2026-06-11 16:17:14 -07:00