Conversation
Co-authored-by: lmangani <1423657+lmangani@users.noreply.github.com> Agent-Logs-Url: https://github.com/audiohacking/acestep-cpp-api/sessions/fbba7738-f434-4332-84ec-ffa6ef309a51
Copilot
AI
changed the title
[WIP] Add full API documentation with supported endpoints
Add full API docs and make model listing dynamic from ACESTEP_MODEL_MAP
Mar 21, 2026
Co-authored-by: lmangani <1423657+lmangani@users.noreply.github.com> Agent-Logs-Url: https://github.com/audiohacking/acestep-cpp-api/sessions/8c812542-7f5b-4523-9ab9-8b884ad75b21
Copilot
AI
changed the title
Add full API docs and make model listing dynamic from ACESTEP_MODEL_MAP
Auto-discover GGUF models from disk; ACESTEP_MODELS as filter gate
Mar 21, 2026
…ntainment Co-authored-by: lmangani <1423657+lmangani@users.noreply.github.com> Agent-Logs-Url: https://github.com/audiohacking/acestep-cpp-api/sessions/89f9752f-cbc8-42dc-9c86-190ad8a3efd7
Copilot
AI
changed the title
Auto-discover GGUF models from disk; ACESTEP_MODELS as filter gate
Security: path traversal + arbitrary filesystem access hardening
Mar 21, 2026
…nstead of hardcoded Unix paths Co-authored-by: lmangani <1423657+lmangani@users.noreply.github.com> Agent-Logs-Url: https://github.com/audiohacking/acestep-cpp-api/sessions/051c1563-8de6-4e16-bb20-5bbd9243032a
Copilot
AI
changed the title
Security: path traversal + arbitrary filesystem access hardening
Security: fix path traversal and arbitrary filesystem access vectors; cross-platform test fixes
Mar 21, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
User-controlled input could reach the filesystem outside intended boundaries via three distinct vectors. Additionally, hardcoded Unix paths in security tests caused Windows CI failures.
Security fixes
Path traversal in
GET /v1/audioThe old sanitization (
replace(/\.\./g, "")) is bypassable. Replaced withresolve()+isPathWithin()containment check — any path resolving outsideaudioStorageDirreturns 404.Arbitrary path access via
src_audio_path/reference_audio_pathJSON bodies could supply
{"src_audio_path": "/etc/shadow"}and have it forwarded directly toace-synth --src-audio. Now validated to be withintmpDir(multipart upload landing zone) oraudioStorageDirbefore the binary is invoked.Arbitrary path access via per-request
lm_model_pathSame class of issue — JSON bodies could override the LM model path to any file passed to
ace-lm --lm. WhenACESTEP_MODELS_DIRis configured, the resolved path must be within that directory.Shared utility —
src/paths.tsAdded
isPathWithin(child, parent): resolves both sides withpath.resolve(), then checks for exact equality or asep-terminated prefix. Thesepguard prevents/storage/audiovilfrom matching/storage/audio.Cross-platform test fixes —
test/security.test.tsHardcoded Unix paths like
"/storage/audio/abc123.mp3"broke Windows CI. Fixed by:storageDirviaresolve("/storage/audio")(picks up drive letter on Windows)join(storageDir, ...)for.toBe()expectationsstorageDir + sepfor.startsWith()checks📱 Kick off Copilot coding agent tasks wherever you are with GitHub Mobile, available on iOS and Android.