security: harden presigned URL flow against path traversal and auth bypass
- Fix _handle_pydantic_validation to use exc.json() instead of exc.errors() so the response body is always JSON-serializable (Pydantic v2 ValidationError ctx fields contain raw exception objects that json.dumps cannot handle) - Move GET presign read-access check BEFORE the local-backend early return so unauthenticated/unauthorized GET presign requests are rejected even when the active backend is local:// (no presigned URLs to generate) - Add object_id path-traversal validators to WireFilterRequest, WirePresignRequest, WireConfirmObjectsRequest via field_validator - Reduce WirePresignRequest and WireConfirmObjectsRequest max_length from 50_000 to 1_000 to prevent CPU-saturation DoS on presign batches - Fix S3Backend._key() to strip '/' from object_ids (defense-in-depth behind the Pydantic validator layer) - Add ghost-object check in wire_confirm_objects: verify each object actually exists in storage before inserting a musehub_objects DB row - Batch presign HMAC signing in a single asyncio.to_thread dispatch instead of N parallel dispatches (one per object) - Add global PydanticValidationError exception handler so manual model_validate() calls inside route handlers return HTTP 422 not 500 - 11 new TDD security tests (all green): path traversal, auth, DoS limits, ghost registration, GET presign access control
0 comments
muse hub commit comment sha256:99d2a4e654ce28e25d5bc3d1c178ad9609158b59706da27216af6bd69656035e --body "your comment"
No comments yet. Be the first to start the discussion.