cqrenet/aoc
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 29 Wiki Activity

v1.7.12: security hardening — CORS fix, security headers, fail-closed rate limiter, OpenAPI docs disabled by default, config auth privacy, webhook validation
All checks were successful
Release / build-and-push (push) Successful in 44s
Details
CI / lint-and-test (push) Successful in 22s
Details

Browse Source
This commit is contained in:
Tomas Kracmar
2026-04-27 13:59:05 +02:00
parent c086fa4260
commit 07a841615b
11 changed files with 349 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
backend/routes/webhooks.py
View File

@@ -17,7 +17,15 @@ async def graph_webhook(request: Request):
if validation_token:
# Microsoft sends validationToken as a query param during subscription creation.
# Echo it back as plain text to prove endpoint ownership.
return Response(content=validation_token, media_type="text/plain")
# Validate to prevent content injection if endpoint is hit directly.
if len(validation_token) > 1024 or not validation_token.isascii():
logger.warning("Invalid validationToken rejected", length=len(validation_token))
return Response(status_code=400)
return Response(
content=validation_token,
media_type="text/plain",
headers={"X-Content-Type-Options": "nosniff"},
)
try:
body = await request.json()