openclawd/docfast
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
87 commits 1 branch 16 tags 5.8 MiB
Commit graph

12 commits

Author SHA1 Message Date
DocFast Agent
a0d4ba964c fix: audit #18 rate limit cleanup (.unref), audit #25 consistent error shapes
All checks were successful
Deploy to Production / Deploy to Server (push) Successful in 1m4s
Details 
Audit #18 - Rate limit store memory growth:
- rateLimitStore already had cleanup via cleanupExpiredEntries() per-request + 60s interval
- Added .unref() to the setInterval timer for clean graceful shutdown behaviour

Audit #25 - Consistent error response shapes:
- billing.ts: Fixed 409 plain-text response -> JSON { error: "..." }
- index.ts: Simplified 404 from 4-field object to { error: "Not Found: METHOD path" }
- signup.ts: Removed extra retryAfter field from rate-limit message object
- pdfRateLimit.ts: Merged limit/tier/retryAfter into single error message string
- usage.ts: Merged limit/used/upgrade fields into single error message string
- convert.ts: Merged detail field into error message (3 occurrences)

All error responses now consistently use {"error": "message"} shape.
 2026-02-17 08:10:14 +00:00
OpenClaw
09c6feb06e Fix audit #14 (body size limits), #17 (duplicate session_id), #22 (unused import)
All checks were successful
Deploy to Production / Deploy to Server (push) Successful in 2m53s
Details
2026-02-16 19:51:24 +00:00
OpenClaw
59cc8f3d0e Session 45: support email, audit fixes (template validation, content-type, admin auth, waitUntil)
All checks were successful
Deploy to Production / Deploy to Server (push) Successful in 2m20s
Details 
- Added support@docfast.dev to footer, impressum, terms, landing page, openapi.json
- Fixed audit #6: Template render validates required fields (400 on missing)
- Fixed audit #7: Content-Type check on markdown/URL routes (415)
- Fixed audit #11: /v1/usage and /v1/concurrency now require ADMIN_API_KEY
- Fixed audit Critical #3: URL convert uses domcontentloaded instead of networkidle0
 2026-02-16 19:30:21 +00:00
OpenClaw
8a86e34f91 fix: critical and high-severity security fixes
All checks were successful
Deploy to Production / Deploy to Server (push) Successful in 2m52s
Details 
- CRITICAL: DNS rebinding SSRF - pin DNS resolution via request interception
- CRITICAL: XSS in billing success - use data-attribute instead of JS string
- HIGH: Webhook signature bypass - refuse unverified webhooks (500)
- HIGH: Filename header injection - sanitize Content-Disposition filename
- HIGH: Verification code timing attack - use crypto.timingSafeEqual()
- HIGH: Remove duplicate unreachable 404 handler
- HIGH: Add IPv6 unique local (fc00::/7) to SSRF private IP check
- HIGH: Replace console.warn with structured logger
 2026-02-16 18:56:21 +00:00
openclawd
7b55a1ddc6 Fix SSRF vulnerability: Add IPv6 link-local blocking and update error message
Some checks failed
Deploy to Production / Deploy to Server (push) Failing after 20s
Details 
- Add fe80::/10 (IPv6 link-local) detection to isPrivateIP()
- Update error message to match specification: 'URL resolves to a private/internal IP address'
- Existing protections already covered all required IPv4 ranges and IPv6 localhost
 2026-02-16 08:36:08 +00:00
OpenClaw
9541ae1826 Backend hardening: structured logging, timeouts, memory leak fixes, compression, XSS fix
Some checks failed
Deploy to Production / Deploy to Server (push) Failing after 20s
Details 
- Add pino structured logging with request IDs (X-Request-Id header)
- Add 30s timeout to acquirePage() and renderPdf/renderUrlPdf
- Add verification cache cleanup (every 15min) and rate limit cleanup (every 60s)
- Read version from package.json in health endpoint
- Add compression middleware
- Escape currency in templates (XSS fix)
- Add static asset caching (1h maxAge)
- Remove deprecated docker-compose version field
- Replace all console.log/error with pino logger
 2026-02-16 08:27:42 +00:00
OpenClaw Agent
73917551bd Fix rate limits, concurrency control, copy button 
- DATA-BACKED RATE LIMITS:
  * Reduce global rate limit from 10,000/min to 100/min
  * Add PDF conversion rate limits: 10/min free, 30/min pro
  * Set recovery rate limit to 3/hour (was 5/hour)
  * Add concurrency limiter: max 3 simultaneous PDFs, queue rest
  * Return 429 if queue > 10

- BUG-025: Fix copy button functionality
  * Improve fallback handling for execCommand
  * Add better error handling and user feedback
  * Fix secure context detection

- Add concurrency monitoring endpoint /v1/concurrency
 2026-02-15 08:04:56 +00:00
OpenClaw
efa39661cf feat: multi-browser pooling (2 Chromium instances × 8 pages) 
- Launch BROWSER_COUNT separate Chromium instances (default: 2)
- Each with PAGES_PER_BROWSER pages (default: 8, 16 total)
- Round-robin distribution across browser instances
- Independent restart scheduling per browser
- Updated health endpoint to show per-browser stats
- docker-compose: added BROWSER_COUNT and PAGES_PER_BROWSER env vars
 2026-02-14 21:55:29 +00:00
openclawd
6a38ba4adc fix: critical security issues - webhook bypass, SSRF, XSS 2026-02-14 16:19:48 +00:00
OpenClaw
d8bc3fd8e6 fix: BUG-009 setTimeout syntax, BUG-010 CORS helmet policy, BUG-011 content-type validation 2026-02-14 15:34:21 +00:00
DocFast Bot
6896b72e0c Add URL→PDF endpoint, usage tracking middleware, free tier limits 2026-02-14 13:02:40 +00:00
DocFast Bot
feee0317ae Initial MVP: DocFast PDF API 
- HTML/Markdown to PDF conversion via Puppeteer
- Invoice and receipt templates
- API key auth + rate limiting
- Dockerfile for deployment
 2026-02-14 12:38:06 +00:00