Skip to content

security: Protect Screenshot Endpoint#8

Closed
nik-kale wants to merge 1 commit intomainfrom
security/protect-screenshot-endpoint
Closed

security: Protect Screenshot Endpoint#8
nik-kale wants to merge 1 commit intomainfrom
security/protect-screenshot-endpoint

Conversation

@nik-kale
Copy link
Copy Markdown
Owner

@nik-kale nik-kale commented Dec 26, 2025

Summary

This PR removes public screenshot access and implements a protected endpoint that validates mission ownership before serving screenshots. Prevents unauthorized access to potentially sensitive dashboard screenshots.

Changes

  • Removed public static serving of /screenshots directory
  • Added protected endpoint: GET /api/screenshots/:missionId/:filename
  • Mission ownership validation: Verifies screenshot belongs to mission
  • Directory traversal protection: Validates file paths
  • File existence checks: Returns 404 for missing screenshots
  • Updated screenshot URLs: Include missionId in path

Type of Change

  • Security patch
  • New feature
  • Bug fix
  • Breaking change
  • Documentation update

Security Improvements

  • ✅ Screenshots no longer publicly accessible
  • ✅ Mission ownership validated before serving
  • ✅ Directory traversal attacks prevented
  • ✅ File path sanitization
  • ✅ Proper error handling (no path leakage)

API Changes

Before

GET /screenshots/screenshot-123.png  (public, no auth)

After

GET /api/screenshots/mission-123/screenshot-123.png  (requires mission to exist)

Testing

  • ✅ No linting errors
  • ✅ Screenshot endpoint validates mission exists
  • ✅ Returns 404 for non-existent missions
  • ✅ Returns 403 for screenshots not in mission
  • ✅ Directory traversal blocked
  • ✅ File existence checked

Checklist

  • Code follows project style guidelines
  • Self-review completed
  • Security validation implemented
  • No new warnings introduced
  • Path sanitization verified

Related Issues

Addresses Feature #9 from FEATURE_OPPORTUNITIES.md - Priority Score: 2.0

Notes

  • Screenshots now require knowing the missionId
  • Frontend automatically uses new endpoint format
  • Backward compatibility: old /screenshots URLs will 404

@chatgpt-codex-connector
Copy link
Copy Markdown

chatgpt-codex-connector Bot commented Dec 26, 2025

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

This was referenced Dec 26, 2025
Merged
Merged
@nik-kale
Copy link
Copy Markdown
Owner Author

nik-kale commented Dec 26, 2025

Closing PR - screenshot protection implemented but reverted by user preference. Available for reference.

@nik-kale nik-kale closed this Dec 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nik-kale @nikkal12