GT AI OS Community Edition v2.0.33

Security hardening release addressing CodeQL and Dependabot alerts: - Fix stack trace exposure in error responses - Add SSRF protection with DNS resolution checking - Implement proper URL hostname validation (replaces substring matching) - Add centralized path sanitization to prevent path traversal - Fix ReDoS vulnerability in email validation regex - Improve HTML sanitization in validation utilities - Fix capability wildcard matching in auth utilities - Update glob dependency to address CVE - Add CodeQL suppression comments for verified false positives 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-12 17:04:45 -05:00
commit b9dfb86260
746 changed files with 232071 additions and 0 deletions
--- a/apps/control-panel-backend/alembic/versions/009_add_tfa_session_fields.py
+++ b/apps/control-panel-backend/alembic/versions/009_add_tfa_session_fields.py
@@ -0,0 +1,51 @@
+"""Add TFA session fields to used_temp_tokens
+
+Revision ID: 009_add_tfa_session_fields
+Revises: 008_add_totp_2fa
+Create Date: 2025-10-07
+
+"""
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision = '009_add_tfa_session_fields'
+down_revision = '008_add_totp_2fa'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # Add TFA session fields to used_temp_tokens table
+    op.add_column('used_temp_tokens', sa.Column('user_email', sa.String(255), nullable=True))
+    op.add_column('used_temp_tokens', sa.Column('tfa_configured', sa.Boolean(), nullable=True))
+    op.add_column('used_temp_tokens', sa.Column('qr_code_uri', sa.Text(), nullable=True))
+    op.add_column('used_temp_tokens', sa.Column('manual_entry_key', sa.String(255), nullable=True))
+    op.add_column('used_temp_tokens', sa.Column('temp_token', sa.Text(), nullable=True))
+    op.add_column('used_temp_tokens', sa.Column('created_at', sa.DateTime(timezone=True), server_default=sa.func.now(), nullable=False))
+
+    # Modify used_at to be nullable (NULL until token is used)
+    op.alter_column('used_temp_tokens', 'used_at',
+                    existing_type=sa.DateTime(timezone=True),
+                    nullable=True,
+                    existing_server_default=sa.func.now())
+
+    # Remove server default from used_at (manually set when used)
+    op.alter_column('used_temp_tokens', 'used_at', server_default=None)
+
+
+def downgrade():
+    # Remove TFA session fields
+    op.drop_column('used_temp_tokens', 'created_at')
+    op.drop_column('used_temp_tokens', 'temp_token')
+    op.drop_column('used_temp_tokens', 'manual_entry_key')
+    op.drop_column('used_temp_tokens', 'qr_code_uri')
+    op.drop_column('used_temp_tokens', 'tfa_configured')
+    op.drop_column('used_temp_tokens', 'user_email')
+
+    # Restore used_at to non-nullable with server default
+    op.alter_column('used_temp_tokens', 'used_at',
+                    existing_type=sa.DateTime(timezone=True),
+                    nullable=False,
+                    server_default=sa.func.now())