Skip to content

Studio build, media path config, and security hardening#2

Closed
bnz183 wants to merge 1 commit into
split/base-signedfrom
split/01-build-security
Closed

Studio build, media path config, and security hardening#2
bnz183 wants to merge 1 commit into
split/base-signedfrom
split/01-build-security

Conversation

@bnz183

@bnz183 bnz183 commented Jun 9, 2026

Copy link
Copy Markdown
Owner

Summary

  • Include Studio server in production build
  • Configurable publicMediaPath for media uploads
  • MVP security hardening for sessions and POST routes

Stack

PR 1 of 11 (retroactive review of merged studio landing)

return;
}

const result = await uploadMedia(req, envResult.config);
Comment thread apps/studio/server/index.ts Outdated
@@ -0,0 +1,36 @@
export function normalizePublicMediaPath(publicMediaPath: string): string {
const trimmed = publicMediaPath.trim().replace(/\/+$/u, "");
}

export function derivePublicMediaPath(mediaDir: string): string {
const normalized = mediaDir.replace(/^\/+/u, "").replace(/\/+$/u, "").trim();

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 23f86dbb48

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

return;
}

next();

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Validate configured origins before accepting same-site requests

When browsers send Sec-Fetch-Site: same-site, this next() returns before the Origin/Referer path and therefore ignores STUDIO_ALLOWED_ORIGINS. In a deployment on studio.example.com where another same-site origin such as evil.example.com is not trusted, same-site requests still carry the Studio cookie and can reach state-changing routes like logout or multipart media upload despite an allowlist being configured.

Useful? React with 👍 / 👎.

@bnz183

bnz183 commented Jun 9, 2026

Copy link
Copy Markdown
Owner Author

Closing retroactive split-stack review PR. Continuing from protected main with scoped feature PRs.

@bnz183 bnz183 closed this Jun 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants