Skip to content

fix: SFI issue fix #390

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Aug 22, 2025
Merged

fix: SFI issue fix #390

merged 5 commits into from
Aug 22, 2025

Conversation

@Ravikirana-Microsoft
Copy link
Contributor

Purpose

This pull request enhances the security and robustness of the static file serving logic in src/frontend/frontend_server.py. The main improvements include adding protections against directory traversal, blocking access to sensitive files, and introducing security headers for all responses.

Security enhancements for static file serving:

  • Implemented path resolution checks to prevent directory traversal attacks when serving files from the build directory.
  • Added checks to block serving dotfiles and files with sensitive extensions or names, such as .env, .py, .pem, and Dockerfile. [1] [2]

HTTP response security improvements:

  • Introduced middleware to add basic security headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy) to all responses.
  • Ensured that suspicious or invalid file requests return a generic 404 error to prevent information leakage.

Codebase improvements:

  • Refactored imports to support new security logic and file path handling.

Does this introduce a breaking change?

  • Yes
  • No

How to Test

  • Get the code
git clone [repo-address]
cd [repo-name]
git checkout [branch-name]
npm install
  • Test the code

What to Check

Verify that the following are valid

  • ...

Other Information

github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 21, 2025
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 21, 2025
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 21, 2025
View reviewed changes
@Prajwal-Microsoft Prajwal-Microsoft merged commit ffcfa86 into dev Aug 22, 2025
8 checks passed
@Ravikirana-Microsoft Ravikirana-Microsoft deleted the sfi-issue-fix branch September 10, 2025 07:24
@github-actions
Copy link

🎉 This PR is included in version 2.2.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Prajwal-Microsoft Prajwal-Microsoft Prajwal-Microsoft approved these changes

@Avijit-Microsoft Avijit-Microsoft Awaiting requested review from Avijit-Microsoft Avijit-Microsoft is a code owner

@Roopan-Microsoft Roopan-Microsoft Awaiting requested review from Roopan-Microsoft Roopan-Microsoft is a code owner

@marktayl1 marktayl1 Awaiting requested review from marktayl1 marktayl1 is a code owner

@Fr4nc3 Fr4nc3 Awaiting requested review from Fr4nc3 Fr4nc3 is a code owner

@Vinay-Microsoft Vinay-Microsoft Awaiting requested review from Vinay-Microsoft Vinay-Microsoft is a code owner

@aniaroramsft aniaroramsft Awaiting requested review from aniaroramsft aniaroramsft is a code owner

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Ravikirana-Microsoft @Prajwal-Microsoft