Security Hardening Release
Comprehensive security audit and fixes across critical, high, and medium severity findings.
R2 Proxy Lockdown
images/prefix restriction on both cloud and local proxies- Path traversal (
..) blocking - Image extension allowlist + Content-Type validation from R2 metadata
MCP Tool Rate Limiting
- Single-flight + cooldown on 7 expensive operations (rebuild, export, import, insights, duplicates, migrate)
- Prevents resource exhaustion via repeated calls
Prompt Injection Mitigation
- Memory content moved from system prompt to user/context message across all 4 LLM callsites
- Defensive markers on all memory-to-LLM paths
Upload Hardening
- Symlink chain rejection, Pillow content verification
- MIME derived from image content (not filename), no path disclosure in responses
- Extension allowlist aligned with storage backend
Additional Fixes
- Origin validation (urlparse-based) on SSE and chat endpoints
- Chat rate limiting: 30 req/min per IP
- Secure dedup cache:
~/.cache/memora/, SHA-256 filenames, fcntl locking - SQL hardening: alias-aware ORDER BY whitelist, LIMIT/OFFSET clamping
- Error sanitization: generic messages for infrastructure errors
- Dependencies: Pillow >= 10.4.0, openai >= 1.6.0, zod 3.24.2
- Lock files: requirements.lock, requirements-local.lock, requirements-dev.lock
- Security Model documentation in README
Codebase Health (from v0.2.23)
- Full XSS sweep in graph UI (escapeHtmlAttr, CSS.escape, data-* delegation)
- PATCH metadata shallow merge with null-delete semantics
- FTS/embedding reindex on tag/metadata changes
- Module extraction: embeddings.py, schema.py split from storage.py
- Duplicate detection aligned to 0.85 threshold across all paths
- 39 tests passing
Full Changelog: v0.2.23...v0.2.24