apunkt/mike
1
0
Fork 0
mirror of https://github.com/willchen96/mike.git synced 2026-06-08 20:25:13 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
OSS AI Legal Platform
12 commits 2 branches 0 tags 16 MiB
Find a file
Aeon (aaronjmars) e261d2e4bd fix(security): scope tabular-review document_ids by access (CWE-639) 
The tabular-review routes accept user-supplied document_ids in
request bodies (POST /tabular-review, PATCH /:reviewId) and stale
cell rows on byte-fetching paths (POST /:reviewId/regenerate-cell,
POST /:reviewId/generate). None of those paths checked whether the
caller can read those documents — a free-account attacker could plant
foreign UUIDs into their own review and have the server fetch the
bytes from R2 + run an LLM extraction over them, returning verbatim
text via the standard review GET.

Adds filterAccessibleDocumentIds(documentIds, userId, userEmail, db)
next to the existing access helpers (owner-of-doc OR project member),
and applies it at the four entry points:

- POST /tabular-review               drop unauthorised on insert
- PATCH /:reviewId                   drop newly-added unauthorised; keep
                                     already-attached cells so non-owner
                                     collaborators don't accidentally
                                     orphan rows they can't directly
                                     access
- POST /:reviewId/regenerate-cell    refuse byte fetch when caller has
                                     no access to the underlying doc
- POST /:reviewId/generate           filter docIds before parallel LLM
                                     fetch (defense-in-depth for legacy
                                     cells planted before this fix)

Fails closed silently rather than 403'ing so legacy clients that pass
stale ids don't error out the whole review.

Detected by Aeon + manual review.
Severity: high
CWE-639 (Authorization Bypass Through User-Controlled Key)
2026-05-10 04:50:21 +00:00
backend fix(security): scope tabular-review document_ids by access (CWE-639) 2026-05-10 04:50:21 +00:00
docs docs: add safe local testing guide 2026-05-04 20:09:05 -04:00
frontend feat: add OpenAI model support and harden OSS security defaults 2026-05-09 14:55:51 +08:00
.gitignore Add local repo contents 2026-04-29 19:49:06 +02:00
LICENSE Add local repo contents 2026-04-29 19:49:06 +02:00
README.md Sync security and backend profile updates 2026-05-08 20:45:16 +08:00

README.md

Mike

Open-source release containing the Mike frontend and backend.

Contents

  • frontend/ - Next.js application
  • backend/ - Express API, Supabase access, document processing, and database schema
  • backend/schema.sql - Supabase schema for fresh databases

Setup

Install dependencies:

npm install --prefix backend
npm install --prefix frontend

Create local env files from the examples:

cp backend/.env.example backend/.env
cp frontend/.env.local.example frontend/.env.local

Run backend/schema.sql in the Supabase SQL editor for a fresh database.

Start the backend:

npm run dev --prefix backend

Start the frontend:

npm run dev --prefix frontend

Open http://localhost:3000.

Required Services

  • Supabase Auth and Postgres
  • S3-compatible object storage, such as Cloudflare R2
  • At least one supported model provider key, depending on which models you enable
  • LibreOffice for DOC/DOCX to PDF conversion

Checks

npm run build --prefix backend
npm run build --prefix frontend
npm run lint --prefix frontend

License

AGPL-3.0-only. See LICENSE.