akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

Security hardening: fix SQL injection, WAF bypass, placeholder injection, and more

Browse Source 
- C1: Replace all ClickHouse string interpolation with parameterized queries
  (query_params) to eliminate SQL injection in analytics endpoints
- C3: Strip Caddy placeholder patterns from redirect rules, protected paths,
  and Authentik auth endpoint to prevent config injection
- C4: Replace WAF custom directive blocklist with allowlist approach — only
  SecRule/SecAction/SecMarker/SecDefaultAction permitted; block ctl:ruleEngine
  and Include directives
- H2: Validate GCM authentication tag is exactly 16 bytes before decryption
- H3: Validate forward auth redirect URIs (scheme, no credentials) to prevent
  open redirects
- H4: Switch 11 analytics/WAF/geoip endpoints from session-only requireAdmin
  to requireApiAdmin supporting both Bearer token and session auth
- H5: Add input validation for instance-mode (whitelist) and sync-token
  (32-char minimum) in settings API
- M1: Add non-root user to l4-port-manager Dockerfile
- M5: Document Caddy admin API binding security rationale
- Document C2 (custom config injection) and H1 (SSRF via upstreams) as
  intentional admin features

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
fuomag9
2026-04-10 12:13:50 +02:00
parent e1c97038d4
commit 5d0b4837d8
21 changed files with 338 additions and 164 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
tests/unit/api-routes/settings.test.ts
View File

@@ -204,13 +204,14 @@ describe('PUT /api/v1/settings/[group]', () => {
it('sets sync token', async () => {
mockSetSlaveMasterToken.mockResolvedValue(undefined as any);
const body = { token: 'new-sync-token' };
const validToken = 'a]b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6';
const body = { token: validToken };
const response = await PUT(createMockRequest({ method: 'PUT', body }), { params: Promise.resolve({ group: 'sync-token' }) });
const data = await response.json();
expect(response.status).toBe(200);
expect(data).toEqual({ ok: true });
expect(mockSetSlaveMasterToken).toHaveBeenCalledWith('new-sync-token');
expect(mockSetSlaveMasterToken).toHaveBeenCalledWith(validToken);
});
it('clears sync token when null', async () => {