Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
90 commits
Select commit Hold shift + click to select a range
064fd90
docs: add Safe Expunging Process policy
level09 Apr 21, 2026
14355e5
fix(docker): switch nginx base to bitnamilegacy/nginx
level09 Apr 21, 2026
3c754fd
fix(docker): install runtime deps for celery-ocr role
level09 Apr 21, 2026
2f9e395
fix(docker): default ENV_FILE to .env.docker
level09 Apr 21, 2026
3aeaff1
fix(docker): exclude .git, node_modules, caches from build context
level09 Apr 21, 2026
cd51dac
fix(docker): stamp head on fresh DB instead of running migrations
level09 Apr 21, 2026
b136add
refactor(docker): slim-bookworm base with dedicated uv builder stage
level09 Apr 21, 2026
f6cd5f4
fix(docker): use TCP probe for nginx healthcheck
level09 Apr 21, 2026
244ee1d
v4.0.1: fix bulk OCR celery queue routing (#323)
level09 Apr 23, 2026
80f56b9
fix(BAY-01-001): re-check object access in revision history endpoints
level09 May 1, 2026
d0f4581
fix(BAY-01-002): enforce object-level access on extraction PUT
level09 May 1, 2026
4b66981
fix(BAY-01-004): contain CSV/XLS analyze paths inside IMPORT_DIR
level09 May 1, 2026
6b69734
fix(BAY-01-007): rate-limit failed logins by username and IP
level09 May 1, 2026
9800fbe
fix(BAY-01-008): sanitize imported rich-text fields
level09 May 1, 2026
3312be7
merge: bring v4.0.1 OCR queue routing fix from main
level09 May 1, 2026
903b19e
test(BAY-01): regression tests for Wave 1 pentest fixes
level09 May 1, 2026
ecc4aa7
refactor(BAY-01-007): use Flask-Limiter and move limits to settings
level09 May 1, 2026
507bab0
fix(BAY-01-006): drop DB superuser, replace trust auth with peer
level09 May 1, 2026
3ce769f
fix(BAY-01-003): filter export items by requester.can_access
level09 May 1, 2026
597e7e6
fix(BAY-01-005): drop /api/create-admin, bootstrap admin via installe…
level09 May 1, 2026
adb4139
polish(BAY-01-005): clearer install banner with login URL
level09 May 1, 2026
dde75cc
fix(BAY-01-005): bootstrap admin in Docker entrypoint on fresh DB
level09 May 1, 2026
ed81474
docs(BAY-01-005): correct Docker admin retrieval — service is bayanat
level09 May 1, 2026
1d80020
fix(BAY-01-005): pass admin password via stdin, not argv
level09 May 1, 2026
8996e2d
fix(settings): URL-encode DB and Redis passwords in connection URLs
level09 May 3, 2026
5861efb
Restore native pdf viewer (#319)
apodacaduron May 5, 2026
f96206f
v4.0.2: bump vulnerable deps (#324)
level09 May 6, 2026
c96974b
docs(BAY-01-005): admin bootstrap, Compose v2, env-file
level09 May 7, 2026
0ff19bd
Upgrade axios from 1.15.0 to 1.16.0 due to vulnerabilities (#333)
apodacaduron May 11, 2026
726d345
fix(BAY-01-041): cap media import Celery task with soft/hard time limit
level09 May 14, 2026
6f562d4
fix(BAY-01-038): coerce parse_excel column labels to strings
level09 May 14, 2026
9325742
fix(uwsgi): wire touch-reload so admin Reload button actually reloads…
level09 May 14, 2026
974a0e9
fix(config): allow 5-char file extensions in allowed lists (#338)
level09 May 14, 2026
363eb2c
fix(deps): bump urllib3 to >=2.7.0 (closes 2 high-severity advisories…
level09 May 14, 2026
1f6703d
docs(v4.0.2): extend changelog with post-#324 fixes (#341)
level09 May 14, 2026
5abe376
fix(BAY-01-036): pin Excel engine to openpyxl
level09 May 14, 2026
f199080
fix(BAY-01-035): keep parse_csv robust to ragged rows
level09 May 16, 2026
c0adefa
fix(BAY-01-043): drop URL-derived Source fallback in web import
level09 May 16, 2026
9bfca8a
fix(BAY-01-040): type-guard malformed bodies in Export.from_json
level09 May 17, 2026
0614f8a
fix(BAY-01-009): enforce edit boundary on media update endpoint
level09 May 18, 2026
b186e1b
fix(BAY-01-042): type-guard malformed bodies in import API
level09 May 19, 2026
dec0516
fix(BAY-01-011): strip rolesReplace for non-Admin in bulk update
level09 May 19, 2026
8b0c2d5
fix(BAY-01-012): enforce can_access_media on direct media endpoints
level09 May 19, 2026
9ee85af
fix(BAY-01-037): type-guard sheet parameter in XLSX analyze
level09 May 20, 2026
f34e679
fix(BAY-01-010): centralize per-target access check in relation sync
level09 May 20, 2026
aa7ecb0
fix(BAY-01-039): sanitize handle_mismatch description sink
level09 May 22, 2026
e4f26ca
fix(BAY-01-013): remove web/celery update bridge, web update is read-…
level09 May 24, 2026
a9af9db
chore: gitignore release signing keys
level09 May 24, 2026
09f3f60
fix(BAY-01-024): neutralize CSV formula injection in exports
level09 May 24, 2026
ddabe8e
fix(BAY-01-014): match registered domain in web-import allowlist
level09 May 24, 2026
4f8b40e
fix(BAY-01-015): enforce ownership on export detail endpoint
level09 May 24, 2026
ee18f11
fix(BAY-01-019): enforce Google subject binding on OAuth login
level09 May 24, 2026
ce2afeb
fix(BAY-01-018): scope bulk revisions/activity to accessible items
level09 May 24, 2026
f541199
fix(BAY-01-021): mask assignee/reviewer names in item list APIs
level09 May 24, 2026
1805951
fix(BAY-01-016): enforce config-driven session freshness on privilege…
level09 May 24, 2026
76f431f
fix(BAY-01-026): scope export items to requester access at creation
level09 May 25, 2026
0cba246
fix(BAY-01-023): cap PDF rasterization at the OCR page limit
level09 May 25, 2026
4708fe4
fix(BAY-01-025): block external/file resource fetching in PDF export
level09 May 25, 2026
f55f7a0
fix(BAY-01-020): opaque filenames for inline media uploads
level09 May 25, 2026
ae446a2
Add public archive export with public_description field (#345)
level09 Jun 3, 2026
5e93d04
fix(export): stop leaking internal description in public archive expo…
level09 Jun 9, 2026
f90d59b
Remove out-of-place yellow background from import screens (#329)
apodacaduron Jun 9, 2026
1016d13
Upgrade TinyMCE to latest and fix broken script path and image upload…
apodacaduron Jun 9, 2026
85e7f54
fix(BAY-01-022): enforce peer-review lock and strip assignee fields o…
level09 Jun 11, 2026
3b5ab77
fix(BAY-01-013): keep updater state dir root-owned to close symlink-race
level09 Jun 11, 2026
bc467b9
fix(BAY-01-029): bump mako, lxml, pypdf, pillow, python-dotenv past k…
level09 Jun 12, 2026
adf941e
fix(BAY-01-032): split web/worker service accounts, remove service sudo
level09 Jun 12, 2026
fa3069d
fix(BAY-01-030): lock down install layout file permissions
level09 Jun 12, 2026
dc8e62f
fix(BAY-01-031): strip app DB role privileges and gate connects
level09 Jun 12, 2026
a5280d0
fix(BAY-01-027): require auth on the local Redis listener
level09 Jun 12, 2026
5bbacd1
fix(BAY-01-033): sandbox the systemd services
level09 Jun 12, 2026
0cddfca
fix(BAY-01-028): harden docker deployment
level09 Jun 12, 2026
279b3c8
fix(BAY-01-034): escape stored XSS in frontend rendering sinks
apodacaduron Jun 13, 2026
92ee1e0
fix(BAY-01-009): scope bulk OCR to caller-accessible media
level09 Jun 13, 2026
0886e91
fix(BAY-01-036): drop unreadable .xls from sheet allowlist default
level09 Jun 13, 2026
706675b
fix(BAY-01-037): exclude bool sheet param in xls analyze and process-…
level09 Jun 13, 2026
5944439
fix(BAY-01-042): require a non-empty files list in process-sheet
level09 Jun 13, 2026
bcfe6ec
test(BAY-01): cover 009/036/037/042 input and access guards
level09 Jun 13, 2026
4b5e25d
fix(BAY-01-017): verify signed release tarballs before install
level09 Jun 16, 2026
05c40b3
fix(BAY-01-025): match BASE_URL host exactly in PDF url fetcher
level09 Jun 16, 2026
97c113e
fix(BAY-01-009): extend media edit boundary to OCR and orientation ac…
level09 Jun 16, 2026
d209e8f
fix(BAY-01-008): sanitize missing-person detail fields on sheet import
level09 Jun 17, 2026
98b305f
fix(BAY-01-012): hide media metadata from users without media access
level09 Jun 19, 2026
1cb5085
fix(BAY-01-009): enforce media edit boundary on bulk OCR
level09 Jun 19, 2026
0d2ac83
fix: prevent imports stuck in Pending on stale DB connections (#327)
level09 Jun 23, 2026
89c5ae1
Make session idle timeout configurable via SESSION_LIFETIME env (#335)
level09 Jun 23, 2026
759a338
Fix: keep source=import signal alive across chunked media uploads (#334)
level09 Jun 23, 2026
bf171e1
Merge remote-tracking branch 'origin/main' into pentest-fixes
level09 Jun 29, 2026
b44411a
Document & image redaction (#349)
level09 Jun 30, 2026
50de19c
Merge remote-tracking branch 'origin/main' into pentest-fixes
level09 Jun 30, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
12 changes: 12 additions & 0 deletions .dockerignore
Original file line number Diff line number Diff line change
@@ -1,4 +1,16 @@
.git
node_modules
.venv
env
__pycache__
*.pyc
*.pyo
enferno/media
enferno/imports
logs
backups
.env
.env.*
.DS_Store
*.md
docs/node_modules
2 changes: 2 additions & 0 deletions .gitattributes
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
# Vendored third-party library: collapse in diffs and exclude from language stats
enferno/static/js/tinymce/** -diff linguist-vendored
6 changes: 6 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -30,3 +30,9 @@ backups/*
cookies.txt

*.egg-info/

# Release signing: NEVER commit secret keys. The pinned public key is baked
# into the installer/updater, not stored as a loose file in the repo.
*.key
bayanat-release.key
bayanat-release.pub
1 change: 1 addition & 0 deletions .retireignore
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
enferno/static/js/tinymce
26 changes: 26 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,31 @@
# Changelog

## v4.0.2

### Security

- Bumped vulnerable dependencies in `uv.lock`:
- `urllib3` 2.6.3 → 2.7.0 (high, [GHSA-48p4-8xcf-vxj5](https://github.com/advisories/GHSA-48p4-8xcf-vxj5) sensitive headers forwarded across origins in proxied redirects; [GHSA-pq67-6m6q-mj2v](https://github.com/advisories/GHSA-pq67-6m6q-mj2v) decompression-bomb bypass in streaming API)
- `lxml` 6.0.2 → 6.1.0 ([GHSA-pp7h-53gx-mx7r](https://github.com/advisories/GHSA-pp7h-53gx-mx7r), high, XXE in `iterparse`/`ETCompatXMLParser`)
- `pillow` 12.1.1 → 12.2.0 ([GHSA-2vfv-wwj6-7q47](https://github.com/advisories/GHSA-2vfv-wwj6-7q47), high, FITS GZIP decompression bomb)
- `pypdf` 6.10.0 → 6.10.2 (medium, three RAM-exhaustion advisories)
- `python-dotenv` 1.2.1 → 1.2.2 (medium, symlink-following in `set_key`)
- `Mako` 1.3.10 → 1.3.11 (medium, path traversal in `TemplateLookup`)
- `pytest` 9.0.2 → 9.0.3 (dev, medium, vulnerable `tmpdir` handling)
- Bumped `axios` 1.15.0 → 1.16.0 (frontend dep, [GHSA-4hjh-wcwx-04pq](https://github.com/advisories/GHSA-4hjh-wcwx-04pq) DoS via large response).

### Fixed

- Admin "Reload" button now actually reloads the app. `uwsgi.ini` was missing the `touch-reload=reload.ini` directive, so the maintenance task touched the file with no effect on the running workers. After upgrading, existing installs should also append `touch-reload=reload.ini` to `/bayanat/uwsgi.ini` if they have local edits to that file.
- Allowed-extensions validator now accepts up to 5-character file extensions (previously capped at 4 characters). The cap rejected valid extensions like `mhtml`, `xhtml`, and `jhtml` from `MEDIA_ALLOWED_EXTENSIONS` and `SHEETS_ALLOWED_EXTENSIONS`.
- Restored the native browser PDF viewer for inline preview.

## v4.0.1

### Fixed

- Bulk OCR: celery worker now consumes the `ocr` queue. The systemd unit written by the installer was only subscribing to the default `celery` queue, so tasks dispatched by bulk OCR (UI and `flask ocr process`) silently piled up in Redis. Single-media OCR was not affected. Existing installs can fix in place by adding `-Q celery,ocr` to `ExecStart` in `/etc/systemd/system/bayanat-celery.service`, then `systemctl daemon-reload && systemctl restart bayanat-celery`.

## v4.0.0

### Database Migrations (Alembic)
Expand Down
43 changes: 43 additions & 0 deletions SAFE_EXPUNGING.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
# Safe Expunging Process

This document describes when and how history-altering operations are permitted on the Bayanat source repository, satisfying the SLSA v1.2 Source track "Safe Expunging Process" requirement.

## Scope

Applies to the public repository `sjacorg/bayanat` and the private release repository `sjacorg/bayanat.prod`, specifically to operations that remove or rewrite committed history on protected references (`main`, release tags matching `v*`).

## Default

History on protected references is append-only. Force-push, branch deletion, tag deletion, and retagging are blocked by repository rulesets.

## Permitted Reasons to Expunge

Expunging may be approved only for one of the following reasons:

1. **Secret leak.** An unredacted credential, private key, or access token was committed.
2. **Personal data leak.** Non-public personal data of an identifiable individual was committed.
3. **Legal or safety order.** A verified order from counsel or a credible safety concern requires removal of specific content.
4. **Malicious injection.** Attacker-introduced code or data must be removed as part of incident response.

Bug fixes, style corrections, and cleanup are never valid reasons.

## Approval

Both maintainers must approve in writing, recorded in the security advisory created for the incident.

## Procedure

1. File a private security advisory at https://github.com/sjacorg/bayanat/security/advisories with the reason, affected commits, and proposed action.
2. Record both maintainer approvals in the advisory.
3. If the reason involves a secret, rotate it before rewriting.
4. Rewrite with `git filter-repo` (not `filter-branch`), preserving commit signatures where possible.
5. Temporarily bypass branch protection, force-update the protected reference, then re-enable protection.
6. Invalidate and regenerate any affected release tags. Old tags are not reused.

## Consumer Notification

After any expunging action, publish a public security advisory that includes:

- What was removed and why (redacted as needed).
- New commit hashes and release tags that replace the expunged revisions.
- Operator guidance (re-clone, re-verify signatures, check deployed commit against the new history).
Loading
Loading