Trek_CN/client
jubnl c9341eda3f
fix: remove RCE vector from admin update endpoint.
The POST /api/admin/update endpoint ran git pull, npm install, and npm run build via execSync, potentially giving any compromised admin account full code execution on the host in case repository is compromised. TREK ships as a Docker image so runtime self-updating is unnecessary.
- Remove the /update route and child_process import from admin.ts
- Remove the installUpdate API client method
- Replace the live-update modal with an info-only panel showing docker pull instructions and a link to the GitHub release
- Drop the updating/updateResult state and handleInstallUpdate handler
2026-04-01 07:55:34 +02:00
..
public v2.6.2 — TREK Rebrand, OSM Enrichment, File Management, Hotel Bookings & Bug Fixes 2026-03-28 16:38:08 +01:00
scripts Add PWA support for iOS home screen install 2026-03-21 22:21:23 +01:00
src fix: remove RCE vector from admin update endpoint. 2026-04-01 07:55:34 +02:00
index.html fix: harden PWA caching and client-side auth security 2026-03-31 00:33:58 +00:00
package-lock.json feat: adds better gpx track views 2026-03-31 10:29:49 +02:00
package.json chore: bump version to 2.7.1 2026-03-30 21:25:35 +02:00
postcss.config.js Initial commit — NOMAD (Navigation Organizer for Maps, Activities & Destinations) 2026-03-18 23:58:08 +01:00
tailwind.config.js Initial commit — NOMAD (Navigation Organizer for Maps, Activities & Destinations) 2026-03-18 23:58:08 +01:00
tsconfig.json refactoring: TypeScript migration, security fixes, 2026-03-27 18:40:18 +01:00
vite.config.js fix: harden PWA caching and client-side auth security 2026-03-31 00:33:58 +00:00