starred/LAN-Orangutan
1
0
Fork 0
mirror of https://github.com/291-Group/LAN-Orangutan.git synced 2026-04-27 10:25:59 +03:00
Code Issues Projects Releases 1 Packages Wiki Activity

[PR #2] [MERGED] Fix 5 additional security issues found in second review #5

New issue
Closed
opened 2026-03-13 13:04:21 +03:00 by kerem · 0 comments
kerem commented 2026-03-13 13:04:21 +03:00
Owner
Copy link

📋 Pull Request Information

Original PR: https://github.com/291-Group/LAN-Orangutan/pull/2
Author: @FileBay
Created: 12/31/2025
Status: Merged
Merged: 12/31/2025
Merged by: @FileBay

Base: mainHead: claude/audit-code-bugs-NaPWC

📝 Commits (1)

  • 7296e64 Fix 5 additional security issues found in second review

📊 Changes

3 files changed (+27 additions, -5 deletions)

View changed files

📝 cli/orangutan (+4 -3)
📝 web/api.php (+21 -0)
📝 web/assets/app.js (+2 -2)

📄 Description

Security fixes:

  • Add IP validation using filter_var() for device API endpoints
  • Add CSRF protection for API mutations (require JSON content-type or XHR header)
  • Fix CSS selector injection by using CSS.escape() for IPs in querySelector
  • Quote SCANNER variable in command substitution to handle paths with spaces
  • Replace bare except clause with specific ValueError in CLI embedded Python

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/291-Group/LAN-Orangutan/pull/2 **Author:** [@FileBay](https://github.com/FileBay) **Created:** 12/31/2025 **Status:** ✅ Merged **Merged:** 12/31/2025 **Merged by:** [@FileBay](https://github.com/FileBay) **Base:** `main` ← **Head:** `claude/audit-code-bugs-NaPWC` --- ### 📝 Commits (1) - [`7296e64`](https://github.com/291-Group/LAN-Orangutan/commit/7296e647f85b79cfecd0967d232e33962780d3eb) Fix 5 additional security issues found in second review ### 📊 Changes **3 files changed** (+27 additions, -5 deletions) <details> <summary>View changed files</summary> 📝 `cli/orangutan` (+4 -3) 📝 `web/api.php` (+21 -0) 📝 `web/assets/app.js` (+2 -2) </details> ### 📄 Description Security fixes: - Add IP validation using filter_var() for device API endpoints - Add CSRF protection for API mutations (require JSON content-type or XHR header) - Fix CSS selector injection by using CSS.escape() for IPs in querySelector - Quote SCANNER variable in command substitution to handle paths with spaces - Replace bare except clause with specific ValueError in CLI embedded Python --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
kerem 2026-03-13 13:04:21 +03:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
v2.1.12
Labels
Clear labels   
pull-request

Mirrored from GitHub Pull Request

No labels
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/LAN-Orangutan#5
No description provided.