gitmost

Files

claude_code 8842bc8bf3 fix(sandbox): address PR #250 follow-up review — XSS hardening, eviction reconcile, doc sync (#243 )

Security (must-fix):
- sandbox.controller: the anonymous GET /api/sb/:id response now sets
  X-Content-Type-Options: nosniff, a restrictive CSP, and Content-Disposition=
  attachment for any mime outside a raster-image allowlist (png/jpeg/gif/webp/
  avif). entry.mime is attacker-controlled, so an evil.svg/evil.html could
  otherwise execute script inline on the Docmost origin (stored XSS). Mirrors
  the public attachment route's hardening.

Stability:
- client.stashPage: reconcile mirrors AFTER the final document put, not only
  before it. The doc blob is the newest entry and FIFO eviction drops the
  oldest = this stash's own images, so the stored doc could reference an
  evicted blob (consumer 404) and over-report images.mirrored. A bounded loop
  now reverts doc-put-evicted mirrors, drops the stale doc blob, and re-puts
  until stable. Regenerated packages/mcp/build/.
- sandbox.controller: emit Cache-Control on the 304 branch too (ttlSeconds is
  computed before the conditional check).

Docs:
- Bump the MCP tool count 39 -> 40 across all READMEs and AGENTS.md (the
  registry now exposes exactly 40 tools).

Refactor:
- SandboxStore.asSink() centralizes the {put,has,evict} sink + uri<->id
  mapping; the embedded-MCP and in-app agent-tools wiring sites share it.

Tests:
- security headers (inline vs attachment, nosniff, CSP), 304 Cache-Control,
  putAndLink URL form, has()/remove(), asSink() round-trip, getSandboxPublicUrl
  (trailing-slash trim + APP_URL fallback), and a stash test where the doc put
  itself evicts a mirrored image.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-28 19:08:06 +03:00

src

fix(sandbox): address PR #250 follow-up review — XSS hardening, eviction reconcile, doc sync (#243 )

2026-06-28 19:08:06 +03:00

test

test(coverage): add regression tests for issues #192 , #206 , #204

2026-06-27 06:15:55 +03:00

.dockerignore

fixes

2024-06-07 17:29:34 +01:00

.gitignore

fixes

2024-06-07 17:29:34 +01:00

.prettierrc

switch to nx monorepo

2024-01-09 18:58:26 +01:00

eslint.config.mjs

chore: fix linting (#544 )

2024-12-09 14:51:31 +00:00

nest-cli.json

switch to nx monorepo

2024-01-09 18:58:26 +01:00

package.json

0.94.1

2026-06-26 19:33:57 +03:00

README.md

switch to nx monorepo

2024-01-09 18:58:26 +01:00

tsconfig.build.json

switch to nx monorepo

2024-01-09 18:58:26 +01:00

tsconfig.json

feat: cloud and ee (#805 )

2025-03-06 13:38:37 +00:00

README.md

A progressive Node.js framework for building efficient and scalable server-side applications.

Description

Nest framework TypeScript starter repository.

Installation

$ npm install

Running the app

# development
$ npm run start

# watch mode
$ npm run start:dev

# production mode
$ npm run start:prod

Migrations

# This creates a new empty migration file named 'init'
$ npm run migration:create --name=init

# Generates 'init' migration file from existing entities to update the database schema
$ npm run migration:generate --name=init

# Runs all pending migrations to update the database schema
$ npm run migration:run

# Reverts the last executed migration
$ npm run migration:revert

# Reverts all migrations
$ npm run migration:revert

# Shows the list of executed and pending migrations
$ npm run migration:show



## Test

```bash
# unit tests
$ npm run test

# e2e tests
$ npm run test:e2e

# test coverage
$ npm run test:cov

Support

Nest is an MIT-licensed open source project. It can grow thanks to the sponsors and support by the amazing backers. If you'd like to join them, please read more here.

Stay in touch

Author - Kamil Myśliwiec
Website - https://nestjs.com
Twitter - @nestframework

License

Nest is MIT licensed.