akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 9 Packages Projects Releases Wiki Activity
Files
6d904c48b381cc5674878b5c0ceced3eb0437cb4
Charon/docs/plans/current_spec.md
GitHub Actions 3aaa059a15 fix: authentication issues for certificate endpoints and improve test coverage 
- Updated UsersPage tests to check for specific URL formats instead of regex patterns.
- Increased timeout for Go coverage report generation to handle larger repositories.
- Cleaned up generated artifacts before running CodeQL analysis to reduce false positives.
- Removed outdated QA testing report for authentication fixes on the certificates page.
- Added final report confirming successful resolution of authentication issues with certificate endpoints.
- Deleted previous test output files to maintain a clean test results directory.
2026-01-03 03:08:43 +00:00

38 lines
1.8 KiB
Markdown
Raw Blame History

# SSRF Remediation Plan (Index)
This file is intentionally SSRF-focused only.
The authoritative, Supervisor-updated SSRF plan is:
- [docs/plans/ssrf-remediation.md](docs/plans/ssrf-remediation.md)
## Merge policy (Supervisor requirement)
- The global CodeQL exclusion for `go/request-forgery` in
[.github/codeql/codeql-config.yml](.github/codeql/codeql-config.yml) must be removed
in the same PR/merge as the underlying SSRF fixes.
- Phase 0 can include local-only recon (e.g., temporary local edit of CodeQL config to
surface findings), but must not be a mergeable intermediate state.
## SSRF call sites (current known)
- Uptime monitor HTTP checks: `(*UptimeService).checkMonitor` in
[backend/internal/services/uptime_service.go](backend/internal/services/uptime_service.go)
- CrowdSec LAPI: `(*CrowdsecHandler).GetLAPIDecisions` and
`(*CrowdsecHandler).CheckLAPIHealth` in
[backend/internal/api/handlers/crowdsec_handler.go](backend/internal/api/handlers/crowdsec_handler.go)
- Caddy Admin API: `caddy.NewClient` and `(*Client).Load/GetConfig/Ping` in
[backend/internal/caddy/client.go](backend/internal/caddy/client.go)
- URL connectivity test (SSRF-sensitive client): `utils.TestURLConnectivity` in
[backend/internal/utils/url_testing.go](backend/internal/utils/url_testing.go)
## Relocated content (no deletions)
- Patch coverage (Codecov) plan (previous Appendix A):
[docs/plans/patch-coverage-codecov.md](docs/plans/patch-coverage-codecov.md)
- CodeQL/Trivy local scan hygiene notes (generated artifacts, skip dirs, etc.):
[docs/plans/codeql-local-hygiene.md](docs/plans/codeql-local-hygiene.md)
- DNS provider feature spec (implementation-level):
[docs/implementation/dns_providers_IMPLEMENTATION.md](docs/implementation/dns_providers_IMPLEMENTATION.md)
Reference in New Issue View Git Blame Copy Permalink