LibreChat/packages
Marco Beretta aae066dca6
fix: reject non-string tag and conversationId in forced-retention helpers
The bookmark-tag and conversation ids passed to the forced-retention
helpers come from untyped request bodies, so a crafted PUT /api/tags
body like {"tag": {"$gt": ""}} reached Conversation.find({ tags }) as a
query operator and matched every tagged conversation instead of one,
bulk-converting them under ephemeral retention (NoSQL operator
injection). The same applied to req.body.conversationId on POST.

Guard applyForcedRetention and applyForcedRetentionToTag to ignore any
non-string conversationId/messageId/tag, and pass a guaranteed string
from the tag rename route.
2026-07-01 19:38:20 +02:00
..
api fix: cap shared-link expiry at source conversation and enforce retention on assistant saves 2026-06-30 04:51:45 +02:00
client 🧪 ci: Resolve DataTable test infinite re-render (#13947) 2026-06-24 23:40:18 -04:00
data-provider feat: add ephemeral retention mode for forced temporary chats 2026-06-30 04:51:45 +02:00
data-schemas fix: reject non-string tag and conversationId in forced-retention helpers 2026-07-01 19:38:20 +02:00