Commit 3cedac8
authored
fix(security): authz, IDOR, and abuse-prevention fixes (#4944)
* fix(knowledge): require write access for batch chunk operations
The PATCH /api/knowledge/[id]/documents/[documentId]/chunks handler
performs enable/disable/delete operations but authorized callers with
only read-level access (checkDocumentAccess). This let read-only
workspace members destroy or disable indexed chunks.
Switch to checkDocumentWriteAccess (write/admin required), matching the
sibling POST/PUT/DELETE chunk mutation endpoints.
* fix(env): restrict decrypted workspace env vars to secret admins
GET /api/workspaces/:id/environment returned decrypted workspace
environment variables to any member, including read-only collaborators,
leaking API tokens, database URLs, and other secrets.
Mask workspace variable values for non-admin viewers while preserving
the variable names, so editor autocomplete and conflict detection keep
working. A value is revealed only when the caller is a credential admin
of that key, or — for legacy keys with no per-secret ACL — holds
workspace admin permission. This mirrors the per-key edit gating already
enforced by PUT/DELETE: if you can administer a secret, you can read it.
Personal variables and execution-time resolution are unchanged.
* fix(files): block cross-tenant deletion via client-controlled context
POST /api/files/delete trusted a client-supplied `context`, letting any
authenticated user delete another tenant's file by naming an arbitrary
key with `context: "og-images"`. verifyFileAccess() short-circuited the
three public contexts (profile-pictures, og-images, workspace-logos) to
`true` before any ownership/requireWrite check.
- Derive the storage context strictly from the trusted key prefix in the
delete route; reject a supplied `context` that disagrees with the key.
- Gate the public-context short-circuit to reads only. Destructive ops
(requireWrite) now prove ownership via verifyPublicAssetWriteAccess:
workspace-logos require write/admin on the bound workspace,
profile-pictures require an exact owner match, og-images always deny.
Reads of public assets are unchanged.
* fix(telegram): verify X-Telegram-Bot-Api-Secret-Token on inbound webhooks
Telegram triggers accepted any forged update from anyone who knew the
webhook URL path: verifyAuth was a no-op that always returned null, and
setWebhook registered no secret_token.
Generate a per-webhook secret in createSubscription, register it with
Telegram as secret_token, and persist it to providerConfig. verifyAuth
now fails closed — rejects when no token is configured, when the
X-Telegram-Bot-Api-Secret-Token header is absent, or when it does not
match via constant-time safeCompare.
* fix(security): pin DNS for Agiloft directExecution and Grafana update tools
The Agiloft directExecution tools (read/create/search/update/delete/lock/
saved_search/select/get_choice_line_id/remove_attachment/attachment_info)
and the Grafana update_dashboard/update_alert_rule postProcess hooks issued
outbound HTTP to a fully user-controlled host (instanceUrl/baseUrl) via the
global fetch(), guarded only by the synchronous validateExternalUrl() — which
never resolves DNS, so a hostname resolving to an internal/reserved IP passed
validation (SSRF).
Route all of these through the codebase's standard SSRF-safe path:
- Agiloft: moved executeAgiloftRequest into utils.server.ts where the existing
pinned helpers live. It now resolves+validates the instance URL once and pins
every hop (login, operation, logout) to that IP via secureFetchWithPinnedIP.
The 11 tool configs now import it from utils.server; URL builders stay in the
client-safe utils.ts.
- Grafana: the postProcess POST/PUT now uses validateUrlWithDNS +
secureFetchWithPinnedIP, matching the already-pinned initial GET.
This completes the Agiloft SSRF pinning started in #4639 (which covered the
attach/retrieve API routes) by closing the directExecution path, and extends
the same guard to the Grafana update tools.
* fix(api): enforce workspace allowPersonalApiKeys policy on v1 surface
The external v1 API authenticated API keys without evaluating the
per-workspace allowPersonalApiKeys setting, so a personal API key could
read and mutate a workspace's resources (workflows, tables, files,
knowledge, logs) even when the workspace had explicitly disabled personal
keys. The same control is already enforced on the workflow-execution
surface.
Enforce the policy in checkWorkspaceScope (covering validateWorkspaceAccess
too): reject personal keys with 403 when the workspace has
allowPersonalApiKeys=false. checkWorkspaceScope becomes async; all v1
route callsites updated to await it.
* fix(billing): close usage-cap admission race with atomic reservation
The server-side usage-limit gate read already-recorded cost, but cost is
only written when an execution finishes. A burst of concurrent executions
all observed the same pre-burst usage, all passed the cap, and all ran —
collectively spending far past the limit before any cost landed in the
ledger (free-tier abuse / hard-cap defeat). manual/chat triggers also skip
rate limiting, removing the only throttle.
Add an atomic check-then-reserve admission step (Redis Lua) that bounds
in-flight, un-costed executions per billing entity by both a per-plan
concurrency cap and remaining usage headroom, so recordedUsage +
reservedSlots * estimate <= limit always holds. The slot is released at
execution completion via LoggingSession (skipped on pause; TTL self-heals
crashes). Runs for all trigger types, covering the previously-unthrottled
manual/chat paths.
Fails open when billing is disabled or Redis is unavailable, matching the
rate limiter — a Redis blip can't turn into an execution outage, and the
recorded-usage gate still runs.
* fix(workflows): validate folderId belongs to workflow's workspace on create/update/reorder
Reject a folderId that references a folder in a different workspace (or
an archived/non-existent folder) before writing it to workflow.folderId.
Previously create, update, and reorder only checked workspace permission
on the workflow and the folder's lock status, never that the folder lived
in the workflow's own workspace, allowing a dangling cross-workspace
folder reference.
Adds isFolderInWorkspace/assertFolderInWorkspace + FolderNotFoundError to
@sim/workflow-authz (mirroring assertTargetFolderMutable in the duplicate
path), enforced in performCreateWorkflow, performUpdateWorkflow, and the
reorder route. Invalid folders now return 400.
* fix(folders): validate parentId against workspace on create/update/reorder
Folder write endpoints accepted a caller-supplied parentId and persisted it
without verifying the parent existed in the same workspace, and the create and
reorder paths had no cycle guard. A workspace member with write access could
reparent a folder to a foreign-workspace folder, a non-existent id, or (via
reorder) into a cycle, hiding the folder and its workflows from all members.
- performCreateFolder: reject self-parenting and validate the parent exists in
the workspace and is not archived (mirrors the duplicate route).
- performUpdateFolder: add the same workspace/archived parent check alongside
the existing circular-reference guard.
- folders/reorder: validate every target parent against the workspace, detect
cycles in the resulting parent graph (catches batch cycles), and normalize
falsy parentId to null to prevent orphaning.
Adds tests for cross-workspace parent rejection and batch-cycle rejection.
* chore(knowledge): drop non-TSDoc inline comments from chunks route
* fix(webhooks): fail closed when HMAC signing secret is not configured
Inbound webhook signature verification failed open for HMAC providers
(GitHub, Intercom, Jira, JSM, Confluence, Cal.com, Notion, Greenhouse,
Typeform, Fireflies, Circleback): when no signing secret was stored,
verifyAuth returned null and the workflow executed on a fully
attacker-controlled body. Reject these deliveries with 401 instead,
matching the fail-closed Stripe/WhatsApp/Vercel providers.
Run provider reachability/verification handshakes (Notion
verification_token, Grain/Intercom ping) ahead of auth so the
pre-secret setup handshake still completes — those return a canned 200
without executing the workflow, and real event payloads fall through to
fail-closed verification.
Update the trigger secret-field copy to state the secret is required
for deliveries to be accepted (was misleadingly marked optional).
* style(files): trim verbose inline comments on delete authorization fix
* fix(auth): close account-enumeration oracle on email sign-up
The custom before-hook pre-check threw a distinguishing
422/USER_ALREADY_EXISTS for already-registered emails, letting an
unauthenticated attacker enumerate accounts — defeating better-auth's
own OWASP enumeration protection (active under requireEmailVerification).
Remove the pre-check and rely on better-auth's generic duplicate-sign-up
response, wiring:
- onExistingUserSignUp: notify the real account owner out-of-band,
mirroring the privacy-preserving forget-password flow.
- customSyntheticUser: include admin (role/banned/banReason/banExpires)
and Stripe (stripeCustomerId, billing-gated) user fields so the fake
response shape is byte-identical to a real new-user response.
Adds an ExistingAccountEmail template + 'existing-account' subject.
* style(tools): drop non-TSDoc inline comments from Grafana/Agiloft SSRF tools
* chore(api): trim extraneous inline comments in v1 logs/files routes
Remove a redundant size annotation and two verbose multi-line
materialization comments whose intent is already clear from the code.
Load-bearing comments (race-condition and key-translation notes) kept.
* fix(billing): exclude table-cell dispatch from admission reservation
Table-cell dispatch is row-bounded, async rate-limited, and already
surfaces a graceful usage state. Applying the in-flight concurrency
reservation there turned its 429 into a hard cell error on a normal
>15-concurrent-cell run (only 402 was handled gracefully). Skip the
reservation for that surface via a new skipConcurrencyReservation option
(the usage-cost cap is still enforced), and tidy the reservation comments
to TSDoc.
* fix(chat): rate-limit and constant-time password auth for public chats
Password-protected public chat (POST /api/chat/[identifier]) had no
throttling on the password check and compared with a non-constant-time
!==, allowing unlimited brute-force and per-character timing leaks.
- Add per-IP rate limiting (10 / 15min) to the password branch of
validateChatAuth, mirroring the OTP/SSO endpoints; return 429 with
Retry-After. Only explicit unlock attempts consume tokens — message
sends carry no password and ride the auth cookie.
- Replace password !== decrypted with safeCompare.
- Fails open on rate-limiter storage errors; no availability regression.
* fix(security): cap JSON request body size and gate public chat endpoint
The shared parseJsonBody helper (behind parseRequest, used by nearly
every contract route) read request bodies with no size limit, buffering
the full body into memory before validation. The unauthenticated public
deployed-chat endpoint reached this sink with no admission gate, enabling
an anonymous memory-exhaustion DoS.
- parseRequest/parseJsonBody now enforce a byte cap via a size-limited
stream read (content-length precheck + streamed cap), returning 413.
Default is API_MAX_JSON_BODY_BYTES (50 MB), overridable per route via
maxBodyBytes. Decoding uses TextDecoder to match request.json() BOM
handling.
- Public chat POST is wrapped with the admission gate (tryAdmit) and
passes an explicit CHAT_MAX_REQUEST_BYTES (20 MB) cap.
- Chat body contract gains .max() bounds on input, password,
conversationId, file data/name/type, and files array length.
- Admin bulk workspace import opts into a higher 100 MB cap to avoid
regressing large multi-workflow imports.
* fix(chat): rate-limit and constant-time password auth for public chats
Password-protected public chat (POST /api/chat/[identifier]) had no
throttling on the password check and compared with a non-constant-time
!==, allowing unlimited brute-force and per-character timing leaks.
- Add per-IP rate limiting (10 / 15min) to the password branch of
validateChatAuth, mirroring the OTP/SSO endpoints; return 429 with
Retry-After. Only explicit unlock attempts consume tokens — message
sends carry no password and ride the auth cookie.
- Replace password !== decrypted with safeCompare.
- Fails open on rate-limiter storage errors; no availability regression.
Reinstates the fix reverted by an intervening commit.
* fix(billing): never block a lone execution on usage headroom
The admission reservation tapered allowed concurrency by remaining usage
headroom. With under one credit of headroom left (but not yet over the
cap), floor(headroom / estimate) hit zero and rejected even a single,
zero-concurrency execution — stricter than the recorded-usage gate, which
would have allowed that last run, and with a misleading "too many
concurrent executions" message. Floor the headroom term at 1 so a lone
execution is governed only by the cost gate; concurrency above the first
slot still tapers with headroom.
* refactor(env): document workspace env masking, drop inline comments
Extract the workspace-env value masking into a TSDoc-documented
maskWorkspaceEnvForViewer helper and remove the redundant inline
comments from the GET handler and its test. No behavior change.
* refactor(env): convert PUT/DELETE authz comments to TSDoc
Move the tiered-authorization rationale for the workspace env upsert and
delete handlers into TSDoc blocks and drop the inline comments. No
behavior change.
* fix(telegram): keep legacy webhooks working via Telegram source-IP fallback
The secret-token check rejected every webhook registered before secret_token
support, breaking live triggers until re-saved. Fall back to verifying the
request originates from Telegram's published webhook IP ranges when no secret
is configured, so existing triggers keep firing with no re-save or migration
while forged updates from arbitrary hosts are still rejected. Webhooks with a
registered secret continue to use strict constant-time token verification.
* fix(chat): restore constant-time password auth and IP rate limit
A billing commit (ac56525) reverted the public-chat auth hardening as
collateral, leaving HEAD with a timing-oracle password comparison
(password !== decrypted) and no per-IP brute-force rate limit. Restore
safeCompare and the password-attempt rate limiter, and re-add the 429 test.
* revert(webhooks): undo trigger auth hardening pending compat plan
Reverts the Telegram inbound-token verification (3ed97a4, 41f133a)
and the HMAC fail-closed change (5b6cae9). Production data shows ~79
live webhooks have no signing secret configured (63 GitHub, 9 Fireflies,
3 Jira, 2 Circleback, 1 Confluence, 1 Cal.com), so failing closed would
401 them. Restoring fail-open behavior until a backwards-compatible
rollout (grandfather existing secretless webhooks / migration) is designed.
Other security fixes on this branch are unaffected.
* test(chat): make RateLimiter mock a constructable class
The arrow-function mockImplementation form was not reliably constructable
in the full suite run (`new RateLimiter()` threw "is not a constructor"),
though it passed in isolation. Switch to the class-based mock used by the
sibling OTP/speech route tests.
* fix(billing): release admission slot on pre-execution aborts; cluster-safe release
Addresses PR review on the usage-cap admission reservation:
- Slot leak: the reservation taken at the end of preprocessing was only
released when the LoggingSession finalized. The execute route's
pre-execution exits (client cancel, workspace/API-key guards) returned
without finalizing a session, leaking the slot until its TTL and wrongly
throttling later runs. Release explicitly on those paths; executions that
start are still released via session finalization.
- Release is now cluster-safe: replaced the Lua script that rebuilt the
in-flight key from the pointer value (a key not declared in KEYS, which
silently breaks Redis Cluster slot routing) with discrete single-key
GETDEL + ZREM commands.
* improvement(files): log missing owner metadata distinctly on profile-picture delete deny
Per PR review: when a profile-picture delete is denied, distinguish a
missing owner record (no userId metadata) from a genuine ownership
mismatch so the fail-closed denial is diagnosable. Behavior unchanged —
both still deny.
* fix(billing): release admission slot when async enqueue fails
If queueing the background workflow job throws, no job runs and no
LoggingSession finalizes, so the admission slot reserved during
preprocessing would leak until its TTL. Release it before returning 500.
* fix(api): make body-size caps NaN-safe and raise chat input/attachment limits
- DEFAULT_MAX_JSON_BODY_BYTES and CHAT_MAX_REQUEST_BYTES now fall back to
hardcoded defaults (50 MB / 220 MB) when the env value is missing or
non-numeric, so a misconfig can't silently produce a NaN cap that never
rejects.
- Raise CHAT_MAX_REQUEST_BYTES default to 220 MB to cover 15 base64 file
attachments, and MAX_CHAT_INPUT_CHARS to 1,000,000.
- Minor: tidy use-inline-rename onSave type; drop two redundant test comments.
* fix(hooks): restore void return in useInlineRename onSave type
A prior commit changed onSave's return type from `void | Promise<unknown>`
to `undefined | Promise<unknown>`, which broke the build: callbacks that
return nothing (table-grid column rename, table header rename) infer a
`void` return, which is not assignable to `undefined`. Restore the `void`
union so both fire-and-forget and Promise-returning callbacks type-check.
* fix(billing,api): release chat reservation slot on early exit; preserve 413 on oversized import
- Chat route: preprocessExecution reserves a billing concurrency slot, but
the post-preprocess early exits (missing workspaceId, execution-setup
failure) returned without releasing it, leaking the slot until TTL and
wrongly throttling later runs. Release explicitly on those paths
(idempotent), mirroring the workflows execute route.
- Admin import route: an oversized JSON body now returns the real 413 from
parseJsonBody instead of being remapped to a 400; invalid JSON still 400s.
* fix(icons): make Infisical icon black for contrast; regenerate docs
The Infisical mark rendered near-white on its yellow block background and
was barely visible; switch its fill from currentColor to #000000 (matching
the hardcoded-fill pattern of sibling brand icons). Sync the docs icon copy
and pick up a stale servicenow doc regeneration.
* fix(billing): release reserved slot on execute-route 503 and setup throw
After preprocessExecution reserves a billing concurrency slot, the streaming
path could exit without releasing it: the 503 return when
initializeExecutionStreamMeta fails, and any throw during stream setup (caught
by the outer handler, which only returned 500). Both left the slot held until
TTL, wrongly throttling unrelated runs. Release on the 503 path and in the
outer catch (executionId hoisted so the catch can see it; release is
idempotent and a no-op when no slot was reserved).
* fix(icons): make Linkup icon black for contrast
The Linkup mark rendered with currentColor (near-white on its block
background); switch its fill to #000000 for legibility, matching the
Infisical fix. Docs icon copy synced via generate-docs.
* fix(billing): release reserved slot if inline async job never starts
In the inline (single-process) async path, if jobQueue.startJob threw before
executeWorkflowJob ran, no LoggingSession finalized and the reserved billing
slot was held until TTL. Release it in the fire-and-forget catch (idempotent;
a no-op when the job already finalized and released). The queued-worker path
and all in-job outcomes already release via the job's LoggingSession finalize.1 parent 6abcf82 commit 3cedac8
61 files changed
Lines changed: 1702 additions & 295 deletions
File tree
- apps
- docs/components
- sim
- app/api
- chat
- [identifier]
- files
- delete
- folders
- reorder
- knowledge/[id]/documents/[documentId]/chunks
- v1
- admin/workspaces/[id]/import
- files
- logs
- tables/[tableId]
- columns
- rows
- [rowId]
- upsert
- workflows
- [id]
- execute
- reorder
- workspaces/[id]/environment
- background
- components
- emails
- auth
- lib
- api
- contracts
- server
- auth
- billing/calculations
- core/config
- execution
- logs/execution
- workflows/orchestration
- tools
- agiloft
- grafana
- packages
- testing/src/mocks
- workflow-authz/src
Some content is hidden
Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
2492 | 2492 | | |
2493 | 2493 | | |
2494 | 2494 | | |
2495 | | - | |
| 2495 | + | |
2496 | 2496 | | |
2497 | 2497 | | |
2498 | 2498 | | |
| |||
4967 | 4967 | | |
4968 | 4968 | | |
4969 | 4969 | | |
4970 | | - | |
| 4970 | + | |
4971 | 4971 | | |
4972 | 4972 | | |
4973 | 4973 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
6 | 6 | | |
7 | 7 | | |
8 | 8 | | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
9 | 12 | | |
10 | 13 | | |
11 | 14 | | |
| |||
40 | 43 | | |
41 | 44 | | |
42 | 45 | | |
| 46 | + | |
| 47 | + | |
43 | 48 | | |
44 | 49 | | |
45 | 50 | | |
46 | 51 | | |
47 | 52 | | |
| 53 | + | |
| 54 | + | |
| 55 | + | |
| 56 | + | |
| 57 | + | |
48 | 58 | | |
49 | 59 | | |
| 60 | + | |
50 | 61 | | |
51 | 62 | | |
52 | 63 | | |
| |||
125 | 136 | | |
126 | 137 | | |
127 | 138 | | |
128 | | - | |
| 139 | + | |
| 140 | + | |
| 141 | + | |
| 142 | + | |
| 143 | + | |
| 144 | + | |
| 145 | + | |
| 146 | + | |
129 | 147 | | |
130 | 148 | | |
131 | 149 | | |
| |||
177 | 195 | | |
178 | 196 | | |
179 | 197 | | |
| 198 | + | |
| 199 | + | |
| 200 | + | |
180 | 201 | | |
181 | 202 | | |
182 | 203 | | |
| |||
283 | 304 | | |
284 | 305 | | |
285 | 306 | | |
| 307 | + | |
| 308 | + | |
| 309 | + | |
286 | 310 | | |
287 | 311 | | |
288 | 312 | | |
289 | 313 | | |
290 | 314 | | |
| 315 | + | |
| 316 | + | |
291 | 317 | | |
292 | 318 | | |
293 | 319 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
19 | 19 | | |
20 | 20 | | |
21 | 21 | | |
| 22 | + | |
22 | 23 | | |
23 | 24 | | |
24 | 25 | | |
25 | 26 | | |
26 | 27 | | |
27 | 28 | | |
28 | 29 | | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
29 | 37 | | |
30 | 38 | | |
31 | 39 | | |
| |||
149 | 157 | | |
150 | 158 | | |
151 | 159 | | |
| 160 | + | |
152 | 161 | | |
153 | 162 | | |
154 | 163 | | |
| |||
235 | 244 | | |
236 | 245 | | |
237 | 246 | | |
| 247 | + | |
| 248 | + | |
| 249 | + | |
| 250 | + | |
| 251 | + | |
| 252 | + | |
| 253 | + | |
| 254 | + | |
| 255 | + | |
| 256 | + | |
| 257 | + | |
| 258 | + | |
| 259 | + | |
| 260 | + | |
| 261 | + | |
| 262 | + | |
| 263 | + | |
| 264 | + | |
| 265 | + | |
| 266 | + | |
| 267 | + | |
| 268 | + | |
| 269 | + | |
| 270 | + | |
| 271 | + | |
| 272 | + | |
238 | 273 | | |
239 | 274 | | |
240 | 275 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
2 | 2 | | |
3 | 3 | | |
| 4 | + | |
4 | 5 | | |
5 | 6 | | |
6 | 7 | | |
| 8 | + | |
| 9 | + | |
7 | 10 | | |
8 | 11 | | |
9 | 12 | | |
10 | 13 | | |
11 | 14 | | |
12 | 15 | | |
| 16 | + | |
13 | 17 | | |
14 | 18 | | |
15 | 19 | | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
16 | 32 | | |
17 | 33 | | |
18 | 34 | | |
| |||
88 | 104 | | |
89 | 105 | | |
90 | 106 | | |
91 | | - | |
| 107 | + | |
92 | 108 | | |
93 | 109 | | |
94 | 110 | | |
| |||
129 | 145 | | |
130 | 146 | | |
131 | 147 | | |
| 148 | + | |
| 149 | + | |
| 150 | + | |
| 151 | + | |
| 152 | + | |
| 153 | + | |
| 154 | + | |
| 155 | + | |
| 156 | + | |
| 157 | + | |
| 158 | + | |
| 159 | + | |
| 160 | + | |
| 161 | + | |
| 162 | + | |
| 163 | + | |
| 164 | + | |
132 | 165 | | |
133 | | - | |
| 166 | + | |
134 | 167 | | |
135 | 168 | | |
136 | 169 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
12 | 12 | | |
13 | 13 | | |
14 | 14 | | |
15 | | - | |
16 | | - | |
17 | | - | |
18 | | - | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
19 | 22 | | |
20 | 23 | | |
21 | 24 | | |
22 | 25 | | |
23 | | - | |
| 26 | + | |
24 | 27 | | |
25 | 28 | | |
26 | 29 | | |
| |||
151 | 154 | | |
152 | 155 | | |
153 | 156 | | |
| 157 | + | |
| 158 | + | |
| 159 | + | |
| 160 | + | |
| 161 | + | |
| 162 | + | |
| 163 | + | |
| 164 | + | |
| 165 | + | |
| 166 | + | |
| 167 | + | |
| 168 | + | |
| 169 | + | |
| 170 | + | |
| 171 | + | |
| 172 | + | |
| 173 | + | |
| 174 | + | |
| 175 | + | |
| 176 | + | |
| 177 | + | |
| 178 | + | |
| 179 | + | |
| 180 | + | |
| 181 | + | |
| 182 | + | |
| 183 | + | |
| 184 | + | |
| 185 | + | |
| 186 | + | |
| 187 | + | |
| 188 | + | |
| 189 | + | |
| 190 | + | |
| 191 | + | |
| 192 | + | |
| 193 | + | |
| 194 | + | |
| 195 | + | |
| 196 | + | |
| 197 | + | |
| 198 | + | |
| 199 | + | |
| 200 | + | |
| 201 | + | |
| 202 | + | |
| 203 | + | |
| 204 | + | |
| 205 | + | |
| 206 | + | |
| 207 | + | |
| 208 | + | |
| 209 | + | |
| 210 | + | |
| 211 | + | |
| 212 | + | |
0 commit comments