Skip to content

fix: SFI issue fix#390

Merged
Prajwal-Microsoft merged 5 commits into
devfrom
sfi-issue-fix
Aug 22, 2025
Merged

fix: SFI issue fix#390
Prajwal-Microsoft merged 5 commits into
devfrom
sfi-issue-fix

Conversation

@Ravikirana-Microsoft

@Ravikirana-Microsoft Ravikirana-Microsoft commented Aug 21, 2025

Copy link
Copy Markdown
Contributor

Purpose

This pull request enhances the security and robustness of the static file serving logic in src/frontend/frontend_server.py. The main improvements include adding protections against directory traversal, blocking access to sensitive files, and introducing security headers for all responses.

Security enhancements for static file serving:

  • Implemented path resolution checks to prevent directory traversal attacks when serving files from the build directory.
  • Added checks to block serving dotfiles and files with sensitive extensions or names, such as .env, .py, .pem, and Dockerfile. [1] [2]

HTTP response security improvements:

  • Introduced middleware to add basic security headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy) to all responses.
  • Ensured that suspicious or invalid file requests return a generic 404 error to prevent information leakage.

Codebase improvements:

  • Refactored imports to support new security logic and file path handling.

Does this introduce a breaking change?

  • Yes
  • No

How to Test

  • Get the code
git clone [repo-address]
cd [repo-name]
git checkout [branch-name]
npm install
  • Test the code

What to Check

Verify that the following are valid

  • ...

Other Information

github-advanced-security[bot]
github-advanced-security AI found potential problems Aug 21, 2025
View reviewed changes
Comment thread src/frontend/frontend_server.py Fixed
github-advanced-security[bot]
github-advanced-security AI found potential problems Aug 21, 2025
View reviewed changes
Comment thread src/frontend/frontend_server.py Fixed
github-advanced-security[bot]
github-advanced-security AI found potential problems Aug 21, 2025
View reviewed changes
Comment thread src/frontend/frontend_server.py Fixed
@Prajwal-Microsoft Prajwal-Microsoft merged commit ffcfa86 into dev Aug 22, 2025
8 checks passed
@Ravikirana-Microsoft Ravikirana-Microsoft deleted the sfi-issue-fix branch September 10, 2025 07:24
@github-actions

github-actions Bot commented Sep 23, 2025

Copy link
Copy Markdown

🎉 This PR is included in version 2.2.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

deepammi pushed a commit to deepammi/Multi-Agent-Custom-Automation-Engine-Solution-Accelerator that referenced this pull request Dec 7, 2025
@Prajwal-Microsoft
Merge pull request microsoft#390 from microsoft/sfi-issue-fix
e2fff26 
fix: SFI issue fix
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Avijit-Microsoft Avijit-Microsoft Awaiting requested review from Avijit-Microsoft Avijit-Microsoft is a code owner

@Roopan-Microsoft Roopan-Microsoft Awaiting requested review from Roopan-Microsoft Roopan-Microsoft is a code owner

@marktayl1 marktayl1 Awaiting requested review from marktayl1 marktayl1 is a code owner

@Fr4nc3 Fr4nc3 Awaiting requested review from Fr4nc3 Fr4nc3 is a code owner

@Vinay-Microsoft Vinay-Microsoft Awaiting requested review from Vinay-Microsoft

@aniaroramsft aniaroramsft Awaiting requested review from aniaroramsft aniaroramsft is a code owner

1 more reviewer

@Prajwal-Microsoft Prajwal-Microsoft Prajwal-Microsoft approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Ravikirana-Microsoft @github-advanced-security @Prajwal-Microsoft