Two critical issues and several high/medium issues were identified during
a security review of the backend API.
**Critical fixes:**
1. Path traversal (CWE-22): user-supplied `simulation_id`, `report_id`,
and `project_id` values were passed directly to `os.path.join()`
without validation, allowing `../` sequences to escape intended
directories.
- Added `backend/app/utils/id_validator.py` with `validate_safe_id()`
(rejects anything that isn't alphanumeric/underscore/hyphen) and
`safe_join()` (resolves realpath and verifies containment).
- Applied to all 3 path-construction sites in simulation.py, all 12
relevant handlers in report.py, and 6 sites in graph.py.
- Sanitized uploaded filenames with `os.path.basename()` in graph.py.
2. Missing authentication: all API endpoints were publicly accessible
with no auth mechanism.
- Added `backend/app/utils/auth.py` with an `X-Api-Key` middleware
registered as a `before_request` hook.
- Auth is opt-in: set `API_KEY` in `.env` to enforce it; if unset a
startup warning is logged. This preserves local dev workflows.
**High fixes:**
3. Hardcoded `SECRET_KEY` fallback replaced with `os.urandom(32).hex()`
so an unset key is never predictable.
4. `FLASK_DEBUG` now defaults to `False` instead of `True`.
5. Full Python tracebacks removed from all API error responses (51 total
across graph.py, report.py, simulation.py) — tracebacks still go to
the logger.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Deleted docker-compose.yml, backend Dockerfile, frontend Dockerfile, and nginx configuration to streamline project setup.
- Updated .env.example to reorganize LLM and ZEP API configurations for clarity and ease of use.
- Enhanced README.md to reflect changes in project structure and provide clearer setup instructions.
- Updated .env.example to reflect new LLM configuration with Aliyun's API.
- Enhanced .gitignore to include additional files and directories for better exclusion of sensitive and build artifacts.
- Added docker-compose.yml for streamlined deployment of backend and frontend services.
- Introduced Dockerfiles for both backend and frontend to facilitate containerized builds.
- Created README.md to provide comprehensive project documentation and setup instructions.
- Established nginx configuration for frontend to support API proxying and static file serving.
- Updated .env.example to include new keys for dual LLM configuration, allowing for both general and boost settings.
- Modified create_model function to support an optional use_boost parameter, enabling the selection of either general or boost LLM configurations based on availability.
- Improved logging to indicate which LLM configuration is being used during model creation, enhancing clarity for users.
Maggie Chen
666ghj