Davide Scaini 6d3673b2f7 1. Image upload size limit — _MAX_IMAGE_BYTES = 10 MB in both serve/server.py and edit/server.py ...

2. Image MIME type whitelist — _ALLOWED_IMAGE_TYPES blocks SVG XSS in both servers
  3. Filename collision safety — _unique_image_name() helper in both servers
  4. OAuth CSRF — state token generated in edit/server.py auth-url, stored in _oauth_states, validated and discarded in callback; strava_api.auth_url() accepts optional state param
  5. Error message leak — upload processing errors now return generic "Processing failed" instead of exception type/message
  6. Handle injection in subprocess — _trigger_rebuild now asserts handle matches _VALID_HANDLE before passing to subprocess

2026-04-10 13:56:39 +02:00

..

parsers

second pass. low

2026-04-01 19:00:28 +02:00

__init__.py

backend: initial commit

2026-03-28 13:59:36 +01:00

cli.py

unify single user and multi user behaviour

2026-04-09 08:59:40 +02:00

config.py

second pass. medium

2026-04-01 11:05:00 +02:00

dedup.py

parallelizing extraction, fix tcx files

2026-03-28 14:30:53 +01:00

ingest.py

"keep data on the server" opt-in/out

2026-04-10 13:01:21 +02:00

metrics.py

fix low level issues

2026-03-31 23:22:12 +02:00

models.py

backend: initial commit

2026-03-28 13:59:36 +01:00

simplify.py

local conversion

2026-04-06 22:25:57 +02:00

sport.py

fix ride types subclasses (?) to be tested

2026-03-30 22:55:53 +02:00

strava_api.py

1. Image upload size limit — _MAX_IMAGE_BYTES = 10 MB in both serve/server.py and edit/server.py

2026-04-10 13:56:39 +02:00

strava_csv.py

backend: initial commit

2026-03-28 13:59:36 +01:00

timeseries.py

fix low level issues

2026-03-31 23:22:12 +02:00

writer.py

fixing stuff after splitting jsons

2026-04-09 15:27:00 +02:00