Security hardening: fix SQL injection, WAF bypass, placeholder injection, and more
- C1: Replace all ClickHouse string interpolation with parameterized queries (query_params) to eliminate SQL injection in analytics endpoints - C3: Strip Caddy placeholder patterns from redirect rules, protected paths, and Authentik auth endpoint to prevent config injection - C4: Replace WAF custom directive blocklist with allowlist approach — only SecRule/SecAction/SecMarker/SecDefaultAction permitted; block ctl:ruleEngine and Include directives - H2: Validate GCM authentication tag is exactly 16 bytes before decryption - H3: Validate forward auth redirect URIs (scheme, no credentials) to prevent open redirects - H4: Switch 11 analytics/WAF/geoip endpoints from session-only requireAdmin to requireApiAdmin supporting both Bearer token and session auth - H5: Add input validation for instance-mode (whitelist) and sync-token (32-char minimum) in settings API - M1: Add non-root user to l4-port-manager Dockerfile - M5: Document Caddy admin API binding security rationale - Document C2 (custom config injection) and H1 (SSRF via upstreams) as intentional admin features Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
fuomag9
@@ -6,6 +6,9 @@ import { asc, desc, eq, count, like, or } from "drizzle-orm";
|
||||
import { type GeoBlockSettings } from "../settings";
|
||||
import { normalizeProxyHostDomains } from "../proxy-host-domains";
|
||||
|
||||
// Security: Only the protocol scheme is validated (http/https). Host/IP targets are
|
||||
// not restricted — admins intentionally need to proxy to internal services.
|
||||
// The Caddy admin API (port 2019) is protected by origins checking, not network isolation.
|
||||
function validateUpstreamProtocol(upstream: string): void {
|
||||
const trimmed = upstream.trim();
|
||||
if (!trimmed) return;
|
||||
@@ -365,7 +368,7 @@ function sanitizeAuthentikMeta(meta: ProxyHostAuthentikMeta | undefined): ProxyH
|
||||
|
||||
const authEndpoint = normalizeMetaValue(meta.auth_endpoint ?? null);
|
||||
if (authEndpoint) {
|
||||
normalized.auth_endpoint = authEndpoint;
|
||||
normalized.auth_endpoint = authEndpoint.replace(/\{[^}]*\}/g, "");
|
||||
}
|
||||
|
||||
if (Array.isArray(meta.copy_headers)) {
|
||||
@@ -387,7 +390,7 @@ function sanitizeAuthentikMeta(meta: ProxyHostAuthentikMeta | undefined): ProxyH
|
||||
}
|
||||
|
||||
if (Array.isArray(meta.protected_paths)) {
|
||||
const paths = meta.protected_paths.map((path) => path?.trim()).filter((path): path is string => Boolean(path));
|
||||
const paths = meta.protected_paths.map((path) => path?.trim().replace(/\{[^}]*\}/g, "")).filter((path): path is string => Boolean(path));
|
||||
if (paths.length > 0) {
|
||||
normalized.protected_paths = paths;
|
||||
}
|
||||
@@ -567,7 +570,7 @@ function sanitizeCpmForwardAuthMeta(meta: CpmForwardAuthMeta | undefined): CpmFo
|
||||
normalized.enabled = Boolean(meta.enabled);
|
||||
}
|
||||
if (Array.isArray(meta.protected_paths)) {
|
||||
const paths = meta.protected_paths.map((p) => p?.trim()).filter((p): p is string => Boolean(p));
|
||||
const paths = meta.protected_paths.map((p) => p?.trim().replace(/\{[^}]*\}/g, "")).filter((p): p is string => Boolean(p));
|
||||
if (paths.length > 0) {
|
||||
normalized.protected_paths = paths;
|
||||
}
|
||||
@@ -658,7 +661,7 @@ function sanitizeRedirectRules(value: unknown): RedirectRule[] {
|
||||
typeof item.to === "string" && item.to.trim() &&
|
||||
[301, 302, 307, 308].includes(item.status)
|
||||
) {
|
||||
valid.push({ from: item.from.trim(), to: item.to.trim(), status: item.status });
|
||||
valid.push({ from: item.from.trim().replace(/\{[^}]*\}/g, ""), to: item.to.trim().replace(/\{[^}]*\}/g, ""), status: item.status });
|
||||
}
|
||||
}
|
||||
return valid;
|
||||
|
||||
Reference in New Issue
Block a user