akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Security hardening: fix SQL injection, WAF bypass, placeholder injection, and more

Browse Source 
- C1: Replace all ClickHouse string interpolation with parameterized queries
  (query_params) to eliminate SQL injection in analytics endpoints
- C3: Strip Caddy placeholder patterns from redirect rules, protected paths,
  and Authentik auth endpoint to prevent config injection
- C4: Replace WAF custom directive blocklist with allowlist approach — only
  SecRule/SecAction/SecMarker/SecDefaultAction permitted; block ctl:ruleEngine
  and Include directives
- H2: Validate GCM authentication tag is exactly 16 bytes before decryption
- H3: Validate forward auth redirect URIs (scheme, no credentials) to prevent
  open redirects
- H4: Switch 11 analytics/WAF/geoip endpoints from session-only requireAdmin
  to requireApiAdmin supporting both Bearer token and session auth
- H5: Add input validation for instance-mode (whitelist) and sync-token
  (32-char minimum) in settings API
- M1: Add non-root user to l4-port-manager Dockerfile
- M5: Document Caddy admin API binding security rationale
- Document C2 (custom config injection) and H1 (SSRF via upstreams) as
  intentional admin features

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
fuomag9
2026-04-10 12:13:50 +02:00
parent e1c97038d4
commit 5d0b4837d8
21 changed files with 338 additions and 164 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/api/v1/settings/[group]/route.ts
+14
View File
@@ -72,11 +72,25 @@ export async function PUT(
const body = await request.json();
if (group === "instance-mode") {
const validModes = ["standalone", "master", "slave"];
if (!validModes.includes(body.mode)) {
return NextResponse.json(
{ error: `Invalid mode. Must be one of: ${validModes.join(", ")}` },
{ status: 400 }
);
}
await setInstanceMode(body.mode);
return NextResponse.json({ ok: true });
}
if (group === "sync-token") {
if (body.token !== null && body.token !== undefined &&
(typeof body.token !== "string" || body.token.length < 32)) {
return NextResponse.json(
{ error: "Token must be null or a string of at least 32 characters" },
{ status: 400 }
);
}
await setSlaveMasterToken(body.token ?? null);
return NextResponse.json({ ok: true });
}