furyhawk/deer-flow
1
0
Fork 0
mirror of https://github.com/bytedance/deer-flow.git synced 2026-05-21 23:46:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(gateway): enforce safe download for active artifact MIME types to mitigate stored XSS (#1389)

Browse Source 
* docs: refocus security review on high-confidence artifact XSS

* fix(gateway): block inline active-content artifacts to mitigate XSS

* chore: remove security review markdown from PR

* Delete SECURITY_REVIEW.md

* fix(gateway): harden artifact attachment handling
This commit is contained in:
13ernkastel
2026-03-26 17:44:25 +08:00
committed by GitHub
parent b9583f7204
commit 0d3cefaa5a
4 changed files with 119 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+1
View File
@@ -534,6 +534,7 @@ All dict-returning methods are validated against Gateway Pydantic response model
We welcome contributions! Please see [CONTRIBUTING.md](CONTRIBUTING.md) for development setup, workflow, and guidelines.
Regression coverage includes Docker sandbox mode detection and provisioner kubeconfig-path handling tests in `backend/tests/`.
Gateway artifact serving now forces active web content types (`text/html`, `application/xhtml+xml`, `image/svg+xml`) to download as attachments instead of inline rendering, reducing XSS risk for generated artifacts.
## License