GT AI OS Community Edition v2.0.33

Security hardening release addressing CodeQL and Dependabot alerts: - Fix stack trace exposure in error responses - Add SSRF protection with DNS resolution checking - Implement proper URL hostname validation (replaces substring matching) - Add centralized path sanitization to prevent path traversal - Fix ReDoS vulnerability in email validation regex - Improve HTML sanitization in validation utilities - Fix capability wildcard matching in auth utilities - Update glob dependency to address CVE - Add CodeQL suppression comments for verified false positives 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-12 17:04:45 -05:00
commit b9dfb86260
746 changed files with 232071 additions and 0 deletions
--- a/apps/resource-cluster/app/api/auth.py
+++ b/apps/resource-cluster/app/api/auth.py
@@ -0,0 +1,20 @@
+"""
+Authentication utilities for API endpoints
+"""
+
+from fastapi import HTTPException, Header
+from app.core.security import capability_validator, CapabilityToken
+
+
+async def verify_capability(authorization: str = Header(None)) -> CapabilityToken:
+    """Verify capability token from Authorization header"""
+    if not authorization or not authorization.startswith("Bearer "):
+        raise HTTPException(status_code=401, detail="Missing or invalid authorization header")
+    
+    token_str = authorization.replace("Bearer ", "")
+    token = capability_validator.verify_capability_token(token_str)
+    
+    if not token:
+        raise HTTPException(status_code=401, detail="Invalid capability token")
+    
+    return token