What we did: Locked down the file attachment pipeline against 8 security vulnerabilities. Your files uploaded in chat are now safer — wrong-user access blocked, malicious file contents flagged, file type limits enforced, and all security events tracked.
Changes shipped (PR #28, merged to main): - Cross-user file access blocked at the path level - File size caps per type: PDF 25MB, Word 20MB, spreadsheets/text 10MB - Spreadsheet formula injection prevented (=cmd style attacks in CSV/XLSX) - Image uploads restricted to safe types only (JPEG, PNG, GIF, WebP) - AI knowledge base search locked to the correct user's folders only - Security event log now tracks which chat session triggered each event - 30-second timeout added to prevent parser hang attacks - ZIP bomb protection on Excel file uploads
QA: 5/5 — /chat renders, upload UI intact, no new errors, 29 regression tests pass Status: Shipped ✅
Tried chatting with an ingested file.
What we did: Locked down the file attachment pipeline against 8 security vulnerabilities. Your files uploaded in chat are now safer — wrong-user access blocked, malicious file contents flagged, file type limits enforced, and all security events tracked.
Changes shipped (PR #28, merged to main):
- Cross-user file access blocked at the path level
- File size caps per type: PDF 25MB, Word 20MB, spreadsheets/text 10MB
- Spreadsheet formula injection prevented (=cmd style attacks in CSV/XLSX)
- Image uploads restricted to safe types only (JPEG, PNG, GIF, WebP)
- AI knowledge base search locked to the correct user's folders only
- Security event log now tracks which chat session triggered each event
- 30-second timeout added to prevent parser hang attacks
- ZIP bomb protection on Excel file uploads
QA: 5/5 — /chat renders, upload UI intact, no new errors, 29 regression tests pass
Status: Shipped ✅