SnapAPI session 59: element screenshots + JS injection features
This commit is contained in:
Hoid
parent
8b7452cc81
commit
15942026cd
2 changed files with 61 additions and 3 deletions
|
|
@ -1,5 +1,58 @@
|
|||
# SnapAPI Session Log
|
||||
|
||||
## Session 59 — 2026-03-05 12:00 CET (Element Screenshots + JS Injection)
|
||||
|
||||
**Goal:** Add two high-value competitive features: element screenshots and JavaScript injection.
|
||||
|
||||
**Health Check:**
|
||||
- Production: ✅ healthy, 2 replicas (still v0.5.2, VULNERABLE — BUG-016)
|
||||
- Staging: ✅ healthy, new deployment with both features
|
||||
|
||||
**Work Done:**
|
||||
|
||||
### 1. Feature: `selector` parameter (element screenshots) — sub-agent: snapapi-dev-selector
|
||||
- New `selector` string parameter captures specific DOM element via `element.screenshot()`
|
||||
- Validates: max 200 chars, blocks `javascript:` / `<script`
|
||||
- Mutual exclusivity with `fullPage` (returns 400 if both)
|
||||
- `SELECTOR_NOT_FOUND` → 400 with clear error message
|
||||
- Works on both GET and POST endpoints
|
||||
- OpenAPI spec updated for both endpoints
|
||||
- **TDD**: 27 new tests written RED first, then GREEN
|
||||
- **Test suite: 414 tests passing** (was 387)
|
||||
- **Git commits**: f1d63cd, c38f702, a17f492
|
||||
|
||||
### 2. Feature: `js` parameter (JavaScript injection) — sub-agent: snapapi-dev-js
|
||||
- New `js` string parameter executes custom JS via `page.evaluate()` before capture
|
||||
- Executes after delay but before CSS/hideSelectors injection
|
||||
- Max 5000 chars, 5-second execution timeout
|
||||
- `JS_TIMEOUT` and `JS_EXECUTION_ERROR` → 400 responses
|
||||
- Works on both GET and POST endpoints
|
||||
- OpenAPI spec updated, SDK READMEs (Node.js + Python) updated with examples
|
||||
- **TDD**: Tests written RED first, then GREEN
|
||||
- **Git commit**: 91a08ba (merged cleanly with selector work)
|
||||
|
||||
### 3. Verification
|
||||
- Both features in codebase, no merge conflicts
|
||||
- 414 tests all passing locally
|
||||
- Staging deployed and healthy
|
||||
- Production unchanged (v0.5.2)
|
||||
|
||||
**Investor Test:**
|
||||
1. Stranger trust with money? **Yes on staging**
|
||||
2. Data loss on crash? **No** (CNPG PostgreSQL)
|
||||
3. Free tier abuse? **⚠️ YES on production** — /v1/signup/free CONFIRMED still active
|
||||
4. Key recovery? **Yes on staging**
|
||||
5. All website features work? **Yes on staging**
|
||||
|
||||
**Blockers (unchanged):**
|
||||
- **⚠️ CRITICAL: Production deploy needed** — BUG-016 (free signup) is a live security issue
|
||||
- Stripe production webhook: needs investor to register URL
|
||||
- CI/CD: No Forgejo runner (workaround: manual build on k3s-mgr)
|
||||
|
||||
**Note for investor:** Production is now 25+ commits behind staging. Staging has 414 tests, element screenshots, JS injection, security hardening, usage dashboard, customer portal, key recovery, blog, pricing page, changelog, comparison page, guides, billing rate limiting, cancelled tier. Strongly recommend approving production deploy.
|
||||
|
||||
---
|
||||
|
||||
## Session 58 — 2026-03-05 09:00 CET (SSRF Security Hardening)
|
||||
|
||||
**Goal:** Harden SSRF protection and input validation security.
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
"phase": "production-live",
|
||||
"version": "0.5.2-prod (VULNERABLE: free signup still live) / 0.7.3-staging (387 tests)",
|
||||
"version": "0.5.2-prod (VULNERABLE: free signup still live) / 0.8.0-staging (414 tests)",
|
||||
"staging": {
|
||||
"status": "running",
|
||||
"namespace": "snapapi-staging",
|
||||
|
|
@ -91,7 +91,12 @@
|
|||
"Python SDK: 22 tests (up from 17), comprehensive darkMode/hideSelectors coverage (staging)",
|
||||
"Test suite: 366 tests passing (staging)",
|
||||
"SSRF hardening: IPv4-mapped IPv6 blocking, IPv6 unspecified blocking, CSS injection prevention (hideSelectors, waitForSelector, css param) — 21 new security tests (staging)",
|
||||
"Test suite: 387 tests passing (staging)"
|
||||
"Test suite: 387 tests passing (staging)",
|
||||
"Element screenshot: selector parameter — capture specific DOM element instead of full page (staging)",
|
||||
"JavaScript injection: js parameter — execute custom JS before capture, 5s timeout, 5000 char limit (staging)",
|
||||
"selector + fullPage mutual exclusivity validation (staging)",
|
||||
"SDK docs: js parameter documented in Node.js + Python SDK READMEs (staging)",
|
||||
"Test suite: 414 tests passing (staging)"
|
||||
],
|
||||
"notDone": [
|
||||
"Register Stripe webhook URL in Stripe Dashboard",
|
||||
|
|
@ -114,6 +119,6 @@
|
|||
"priceId": "price_1T2XHpRtlDv9c8GoThHfd8kS"
|
||||
}
|
||||
},
|
||||
"lastSession": "2026-03-05T08:00:00Z",
|
||||
"lastSession": "2026-03-05T11:00:00Z",
|
||||
"codeLocation": "Forgejo repo openclawd/SnapAPI. Clone: git clone forgejo-snapapi:openclawd/SnapAPI.git"
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue