fix: harden security and async correctness

PttCodingMan · claude · PttCodingMan · commit 4e43342f1bbf · 2026-04-26T21:29:00.000+08:00
- media: extend SVG upload filter to also block &lt;use&gt;, &lt;animate&gt;, &lt;set&gt;;
  these elements can pull external SVG (xlink:href) or mutate href to
  javascript: at runtime, slipping past the existing script/foreign
  object check
- media: add a comment in the unauthenticated /api/media/{filename}
  fallback explaining the asymmetry with /api/pages — this branch is
  the support path for images embedded in is_public pages and is
  intentionally not gated by ANONYMOUS_READ
- auth_router: add a 0.5s asyncio.sleep on failed login on top of the
  existing in-memory counter; the counter resets on process restart,
  but the sleep cost compounds even across restarts so brute-force
  throughput stays bounded
- notifications: clarify the webhook dispatch model — validate_webhook_url
  is already re-checked just before each httpx.post so DNS-rebinding
  rebinds are caught at dispatch (the prior comment understated this);
  the residual TOCTOU window can't be closed without breaking HTTPS
  cert verification, which is acceptable for an admin-only surface
- export: run _inline_media_srcs + html rendering and zip compression
  on a thread; both do synchronous file I/O / CPU work that blocked
  the event loop for the duration of the export

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/backend/app/routers/auth_router.py b/backend/app/routers/auth_router.py
@@ -1,3 +1,4 @@
+import asyncio
 import logging
 import time
 from collections import defaultdict
@@ -91,6 +92,11 @@ async def login(body: LoginRequest, request: Request, response: Response):
         logger.warning(
             "login failed for user=%r ip=%s", body.username, client_ip(request)
         )
+        # The in-memory counter resets on process restart, so add a fixed
+        # latency cost on top of bcrypt to keep brute-force throughput low
+        # even in restart-loop scenarios. Tiny enough that a real user
+        # mistyping their password barely notices.
+        await asyncio.sleep(0.5)
         raise HTTPException(status_code=401, detail="Invalid credentials")
 
     logger.info("login ok user=%s role=%s", user["username"], user["role"])
diff --git a/backend/app/routers/export.py b/backend/app/routers/export.py
@@ -1,3 +1,4 @@
+import asyncio
 import base64
 import html as _html
 import io
@@ -255,7 +256,12 @@ async def export_page(
     page = dict(rows[0])
     if await resolve_page_permission(db, user, page["id"]) == "none":
         raise HTTPException(status_code=404, detail="Page not found")
-    html_content = _inline_media_srcs(md_to_simple_html(page["content_md"]))
+    # Render + inline media in a thread: _inline_media_srcs reads files
+    # synchronously and md_to_simple_html does CPU work. Pages with many
+    # embedded images would otherwise stall the event loop.
+    html_content = await asyncio.to_thread(
+        lambda: _inline_media_srcs(md_to_simple_html(page["content_md"]))
+    )
     # Escape title/slug: they're rendered into <title>, <h1>, and a meta
     # breadcrumb as raw text, so a page title containing e.g. `<script>` would
     # execute when the exported HTML is opened locally (file:// context).
@@ -316,12 +322,17 @@ async def export_site(
         "SELECT id, slug, title, content_md FROM pages WHERE deleted_at IS NULL ORDER BY title"
     )
 
-    buf = io.BytesIO()
-    with zipfile.ZipFile(buf, "w", zipfile.ZIP_DEFLATED) as zf:
-        for filename, content in build_site_files(pages):
-            zf.writestr(filename, content)
+    # File reads (_inline_media_srcs), HTML rendering, and zip compression
+    # are all blocking; do the whole bundle off the event loop.
+    def _build_zip() -> io.BytesIO:
+        out = io.BytesIO()
+        with zipfile.ZipFile(out, "w", zipfile.ZIP_DEFLATED) as zf:
+            for filename, content in build_site_files(pages):
+                zf.writestr(filename, content)
+        out.seek(0)
+        return out
 
-    buf.seek(0)
+    buf = await asyncio.to_thread(_build_zip)
     return StreamingResponse(
         buf,
         media_type="application/zip",
diff --git a/backend/app/routers/media.py b/backend/app/routers/media.py
@@ -23,8 +23,14 @@
 # still force `Content-Disposition: attachment` + `X-Content-Type-Options:
 # nosniff` when serving SVG, so a crafted file can never run as HTML in the
 # app's origin even if it slips through this filter.
+#   - <script>, <foreignObject>, <iframe>: direct script injection
+#   - <use>: can pull external SVG via xlink:href / href
+#   - <animate>, <set>: can mutate href to javascript: at runtime
+#   - on*= attributes: inline event handlers
+#   - javascript: URI in any attribute (covers <a href="javascript:...">)
 _SVG_SCRIPT_RE = re.compile(
-    rb"<\s*script|on[a-z]+\s*=|javascript:|<\s*foreignObject|<\s*iframe",
+    rb"<\s*(?:script|use|animate|set|foreignObject|iframe)[\s>/]"
+    rb"|on[a-z]+\s*=|javascript:",
     re.IGNORECASE,
 )
 
@@ -291,7 +297,13 @@ async def get_media(filename: str, request: Request):
             user = anonymous_user()
         else:
             # Flag off → fall back to the legacy is_public path so existing
-            # share-a-public-page deployments keep working.
+            # share-a-public-page deployments keep working. This is the
+            # asymmetric piece: /api/pages/{slug} returns 401 for the same
+            # unauthenticated request, but a public page is served by
+            # routers/public.py which embeds <img src="/api/media/...">,
+            # and those tags must resolve without a session. Keep the two
+            # paths aligned on what counts as "public": only media that
+            # lives on a page with is_public=1.
             if not await _media_is_public(db, filename):
                 raise HTTPException(status_code=404, detail="File not found")
             return _safe_media_response(filepath)
diff --git a/backend/app/services/notifications.py b/backend/app/services/notifications.py
@@ -151,9 +151,15 @@ async def _post_many(urls: list[str], payload: dict) -> None:
 
 
 async def _post_one(client: httpx.AsyncClient, url: str, payload: dict) -> None:
-    # Re-check at dispatch time — the stored URL's hostname may have started
-    # resolving to an internal address since it was saved. Silently drop
-    # rather than contribute to the attacker's oracle.
+    # Defence in depth against DNS rebinding. validate_webhook_url ran at
+    # store-time, but TTL=0 lets an attacker flip the answer between then
+    # and now; re-validate immediately before each request so the resolved
+    # IP we accept is a fresh one. Doing this just before client.post
+    # narrows (but cannot fully close) the TOCTOU window — httpx will
+    # resolve the host again at connect time. Closing that final gap needs
+    # socket-level peer validation, which breaks SNI/cert verification for
+    # HTTPS webhooks; given webhooks are admin-only and the attack surface
+    # is post-compromise pivot, the narrowed window is acceptable.
     try:
         validate_webhook_url(url)
     except ValueError as exc:
