clinch

Files

Dan Milne 2e427a0520 Add SvgScrubber to strip XSS payloads from uploaded app icons

Application#sanitize_svg_icon already runs a Loofah scrubber on every
icon upload, but the scrubber class itself was never tracked. Land it
along with tests covering the four shapes that matter:

- <script> elements stripped entirely
- on* event handlers (onload, onclick, …) removed but the carrying
  element preserved
- attribute values pointing at javascript:/data: URIs rejected
- benign icons round-trip unchanged

Writing the benign-icon test caught a real bug: the attribute allowlist
holds canonical SVG case (viewBox, preserveAspectRatio, gradientUnits,
…) but safe_attribute? downcases the incoming name before comparing,
so legitimate icons were silently losing those attributes on upload.
Fix by comparing against a precomputed lowercase lookup set; the
constant stays readable as canonical SVG case for documentation.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-02 23:57:22 +10:00

concerns

Switch Access / Refresh tokens / Auth Code from bcrypt ( and plain ) to hmac. BCrypt is for low entropy passwords and prevents dictionary attacks - HMAC is suitable for 256-bit random data.

2025-12-31 15:48:32 +11:00

api_key.rb

Add API keys / bearer tokens for forward auth

2026-03-05 21:45:40 +11:00

application_group.rb

Clean up forward auth caching: remove duplication, fix rate limiting, and plug cache gaps

2026-03-21 23:54:19 +11:00

application_record.rb

First commit