Skip to content

feat: security, config, and documentation improvements#46

Merged
nmlemus merged 5 commits intomainfrom
feature/new-functionalities
Feb 19, 2026
Merged

feat: security, config, and documentation improvements#46
nmlemus merged 5 commits intomainfrom
feature/new-functionalities

Conversation

@nmlemus
Copy link
Copy Markdown
Owner

@nmlemus nmlemus commented Feb 19, 2026

Summary

Implements the improvements from the plan (docs/PLAN_MEJORAS_E_ISSUES.md) and brings documentation up to date.

Security & robustness

  • Path traversal: download_file / delete_file (files) and download_artifact / delete_artifact (artifacts) now resolve paths and ensure they stay under the session base; filename uses basename only.
  • Session store (JSON): session_id validated (alphanumeric, underscore, hyphen); resolved path checked under storage_dir.
  • API: session_id path parameter validated via SessionIdPath (pattern [a-zA-Z0-9_-]+) on all relevant routes (sessions, files, artifacts, chat, kernel, hitl, websocket).
  • Content-Disposition: Export session JSON uses a sanitized filename to avoid header injection.
  • Docs: WebSocket API key in query string risk; executor execution without isolation; health endpoint intentionally unauthenticated.

Configuration

  • Single source: Server uses dsagent.config.get_settings() (deps no longer define their own ServerSettings).
  • New options: DSAGENT_REQUIRE_API_KEY (refuse start without API key), DSAGENT_MAX_UPLOAD_MB (default 50; 0 = no limit).
  • Startup: If require_api_key is true and no API key is set, server raises at startup.
  • Versions: API version read from package __version__; Dockerfile LABEL version set to 0.8.4.

Upload limits

  • Files upload enforces DSAGENT_MAX_UPLOAD_MB per file (chunked read, 413 when exceeded).

Tests

  • test_delete_session_not_found: mock load_session.return_value = None (matches handler).
  • API key auth fixture: use dsagent.config.clear_settings_cache() instead of deps.get_settings.cache_clear().

Documentation

  • README: CLI table (serve, skills), Docker examples (PORT, DSAGENT_*), config and HTTP API links.
  • docs/CLI.md: serve and skills sections; env vars (DSAGENT_*); .env order.
  • docs/getting-started/configuration.md: Full DSAGENT_* table; require_api_key, max_upload_mb; workspace layout.
  • docs/api/http-api.md: Base URL /api (no v1); full route table; files/artifacts use category; session export/notebook; all URLs fixed.
  • docs/guide/docker.md, docs/DOCKER.md: PORT, DSAGENT_*, align with config.
  • docs/index.md, quickstart: Version-agnostic example; Docker volume.

Related

Addresses the scope of the GitHub issues created from the plan (path traversal, session_id validation, config unification, API version, Dockerfile version, upload limits, Content-Disposition, documentation).

Made with Cursor

@nmlemus @cursoragent
feat: security, config, and docs improvements
431f78c 
- Security: path traversal guards in files and artifacts routes; session_id
  validation in JSON store and API (SessionIdPath); Content-Disposition
  filename sanitization; doc notes for WebSocket API key, executor isolation,
  health endpoint
- Config: single source (deps use config.get_settings); require_api_key and
  max_upload_mb; API version from package; Dockerfile version 0.8.4
- Upload: enforce DSAGENT_MAX_UPLOAD_MB in files upload
- Tests: fix delete_session_not_found mock; API key fixture use config cache
- Docs: README CLI/Docker; CLI serve & skills; configuration DSAGENT_*; HTTP
  API base /api, files/artifacts, full endpoint list; Docker PORT and env;
  quickstart/index version-agnostic

Co-authored-by: Cursor <cursoragent@cursor.com>
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 19, 2026
View reviewed changes
nmlemus and others added 4 commits February 18, 2026 19:06
@nmlemus @cursoragent
test: health response version from package __version__
8dbed24 
Co-authored-by: Cursor <cursoragent@cursor.com>
@nmlemus @cursoragent
chore: bump version to 0.9.0 for release
de08147 
Co-authored-by: Cursor <cursoragent@cursor.com>
@nmlemus @cursoragent
fix: validate session paths under workspace for code scanning
0a330b2 
- files: _get_session_path now resolves path and ensures it is under
  session_manager.workspace_path before use
- artifacts: add _ensure_artifacts_path_under_workspace; use it in
  list_artifacts, download_artifact, delete_artifact before using
  session.artifacts_path
- Addresses GitHub Advanced Security 'Uncontrolled data used in path
  expression' review comments on PR #46

Co-authored-by: Cursor <cursoragent@cursor.com>
@nmlemus @cursoragent
chore: update uv.lock for version 0.9.0
f8dc82b 
Co-authored-by: Cursor <cursoragent@cursor.com>
@nmlemus nmlemus merged commit c857794 into main Feb 19, 2026
9 of 10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nmlemus