anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(api/artifacts): explicit Content-Disposition + X-Content-Type-Options

Browse Source 
Harden the attacker-controlled artifact download path (F7) with explicit
response headers instead of relying on Starlette's defaults (which only
emit attachment for non-ASCII filenames and never set nosniff). Also
resolves the THREAT_MODEL F7 path-traversal row (containment check was
already in _resolve_artifact_path) and the fleet-deploy detail=str(e)
audit (all four sites are admin-gated deliberate validator UX or
structured worker-response fields).
This commit is contained in:
anti
2026-04-24 13:24:34 -04:00
parent ec1079e78b
commit 99ccd41bb5
3 changed files with 12 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
tests/api/artifacts/test_get_artifact.py
View File

@@ -125,6 +125,8 @@ async def test_content_disposition_is_attachment(client: httpx.AsyncClient, auth
assert res.status_code == 200
cd = res.headers.get("content-disposition", "")
assert "attachment" in cd.lower()
assert _VALID_STORED_AS in cd
assert res.headers.get("x-content-type-options") == "nosniff"
async def test_smtp_service_serves_from_smtp_subdir(