93894c517b
Critical security fix addressing CWE-312/315/359 (Cleartext Storage/Cookie Storage/Privacy Exposure) where CrowdSec bouncer API keys were logged in cleartext. Implemented maskAPIKey() utility to show only first 4 and last 4 characters, protecting sensitive credentials in production logs. Enhanced CrowdSec configuration import validation with: - Zip bomb protection via 100x compression ratio limit - Format validation rejecting zip archives (only tar.gz allowed) - CrowdSec-specific YAML structure validation - Rollback mechanism on validation failures UX improvement: moved CrowdSec API key display from Security Dashboard to CrowdSec Config page for better logical organization. Comprehensive E2E test coverage: - Created 10 test scenarios including valid import, missing files, invalid YAML, zip bombs, wrong formats, and corrupted archives - 87/108 E2E tests passing (81% pass rate, 0 regressions) Security validation: - CodeQL: 0 CWE-312/315/359 findings (vulnerability fully resolved) - Docker Image: 7 HIGH base image CVEs documented (non-blocking, Debian upstream) - Pre-commit hooks: 13/13 passing (fixed 23 total linting issues) Backend coverage: 82.2% (+1.1%) Frontend coverage: 84.19% (+0.3%)
Backend Service
This folder contains the Go API for CaddyProxyManager+.
Prerequisites
- Go 1.24+
Getting started
cp .env.example .env # optional
cd backend
go run ./cmd/api
Tests
cd backend
go test ./...