Skip to content

v1.8.1 — Security & Compat Patch

Latest
Latest

Choose a tag to compare

View all tags
@achmdfzn achmdfzn released this 14 Jun 08:37
· 4 commits to main since this release
v1.8.1
2d78422

Patch release. Bug fixes only, no breaking changes. Recommended upgrade for all users — includes two security fixes (L5/L6 primitive-payload bypass and ML engine path leak) and Node 18 compat.

Security

  • L5/L6 schema validation bypass for primitive payloads. Zod .strict() validation was gated behind a typeof parsed === "object" check in the pipeline, allowing JSON primitives (string, number, boolean, null) to bypass schema validation entirely. Such payloads reached the inner handler with validatedBody: null and no threat-score penalty. Moved Zod validation outside the object-typed guard. Obfuscation scan (L5) stays inside since detectObfuscation is inherently recursive on object trees.

  • ML engine path leak to Python sidecar. When req.nextUrl was missing, the plugin sent the full URL (including query string and hash) to the sidecar. Query strings commonly carry API keys, tokens, or PII. Path is now extracted via new URL(req.url).pathname with a safe empty-string fallback; nextUrl.pathname is preferred when present.

Fixes

  • AbortController timer leak in ML engine plugin. clearTimeout was not called on the !response.ok early-return path or when fetch threw. Moved to try/finally so the timer is always cleared and the controller is never abandoned.

  • Node.js 18 compatibility for crypto global. crypto only became a Node.js global in v19, but engines.node pins to >=18. The honeypot and pipeline code used crypto.randomUUID() directly, which threw ReferenceError on Node 18 (surfaced as CI failures on the Node 18 quality job). Now uses globalThis.crypto ?? node:crypto.webcrypto. Works on Node 18, 20, 22, Edge runtime, and browsers.

  • pytest-asyncio compat in ML engine integration tests. Pinned to 0.24.0 (was >=0.24.0) and switched the async client fixture to @pytest_asyncio.fixture. The 8 integration tests in engine-python/tests/test_api.py previously passed only in isolation; they now pass under full collection.

Stats

  • 4 commits since v1.8.0
  • 216 TypeScript tests pass (was 209)
  • 39 Python tests pass (was 31, with 8 broken)
  • All 5 CI jobs green (Node 18/20/22 quality, docker, python-tests)

Full diff: v1.8.0...v1.8.1

Assets 2
Loading