Release v26.03.29.1 — security fixes and MCP bug fixes #18

Merged
bvandeusen merged 0 commits from dev into main 2026-03-29 15:40:36 -04:00
bvandeusen commented 2026-03-29 15:40:22 -04:00 (Migrated from git.fabledsword.com)

Summary

Security fixes (10 vulnerabilities)

  • SSRF: block private/internal URLs in image cache, RSS feed, and CalDAV URL inputs
  • Auth: require login for GET /api/images/<id> (was fully unauthenticated)
  • Auth: restrict Ollama model pull/delete to admin users only
  • Info disclosure: remove email addresses from /api/users/search response
  • OAuth: skip email-based account linking when email_verified is false/absent
  • Config: hard startup error when default SECRET_KEY is used with SECURE_COOKIES=true
  • Rate limiting: document proxy header requirement; add startup warning if TRUST_PROXY_HEADERS not set
  • XSS: remove src/alt from global DOMPurify ADD_ATTR allowlist

MCP bug fixes

  • fable_add_task_log: was sending {"body": ...} — API expects {"content": ...}
  • fable_create_project: status parameter was silently ignored; now threaded through route and service
  • fable_create_milestone: status parameter was silently ignored; now threaded through route and service

Test plan

  • GET /api/images/1 without session returns 401
  • Adding a file:// or internal URL as an RSS feed returns 400
  • Non-admin user cannot pull or delete Ollama models
  • User search response contains no email field
  • OAuth login with unverified email does not link to existing account
  • fable_add_task_log MCP tool successfully appends a log entry
  • fable_create_project with status="archived" creates an archived project
  • fable_create_milestone with status="done" creates a done milestone

🤖 Generated with Claude Code

## Summary ### Security fixes (10 vulnerabilities) - **SSRF:** block private/internal URLs in image cache, RSS feed, and CalDAV URL inputs - **Auth:** require login for `GET /api/images/<id>` (was fully unauthenticated) - **Auth:** restrict Ollama model pull/delete to admin users only - **Info disclosure:** remove email addresses from `/api/users/search` response - **OAuth:** skip email-based account linking when `email_verified` is false/absent - **Config:** hard startup error when default `SECRET_KEY` is used with `SECURE_COOKIES=true` - **Rate limiting:** document proxy header requirement; add startup warning if `TRUST_PROXY_HEADERS` not set - **XSS:** remove `src`/`alt` from global DOMPurify `ADD_ATTR` allowlist ### MCP bug fixes - **`fable_add_task_log`:** was sending `{"body": ...}` — API expects `{"content": ...}` - **`fable_create_project`:** `status` parameter was silently ignored; now threaded through route and service - **`fable_create_milestone`:** `status` parameter was silently ignored; now threaded through route and service ## Test plan - [ ] `GET /api/images/1` without session returns 401 - [ ] Adding a `file://` or internal URL as an RSS feed returns 400 - [ ] Non-admin user cannot pull or delete Ollama models - [ ] User search response contains no email field - [ ] OAuth login with unverified email does not link to existing account - [ ] `fable_add_task_log` MCP tool successfully appends a log entry - [ ] `fable_create_project` with `status="archived"` creates an archived project - [ ] `fable_create_milestone` with `status="done"` creates a done milestone 🤖 Generated with [Claude Code](https://claude.com/claude-code)
Sign in to join this conversation.
No Reviewers
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: bvandeusen/FabledScribe#18