akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
5d0b4837d87528ff83d84f964971d09c3cbed1fe
caddy-proxy-manager/app/api/analytics/summary/route.ts
fuomag9 5d0b4837d8 Security hardening: fix SQL injection, WAF bypass, placeholder injection, and more 
- C1: Replace all ClickHouse string interpolation with parameterized queries
  (query_params) to eliminate SQL injection in analytics endpoints
- C3: Strip Caddy placeholder patterns from redirect rules, protected paths,
  and Authentik auth endpoint to prevent config injection
- C4: Replace WAF custom directive blocklist with allowlist approach — only
  SecRule/SecAction/SecMarker/SecDefaultAction permitted; block ctl:ruleEngine
  and Include directives
- H2: Validate GCM authentication tag is exactly 16 bytes before decryption
- H3: Validate forward auth redirect URIs (scheme, no credentials) to prevent
  open redirects
- H4: Switch 11 analytics/WAF/geoip endpoints from session-only requireAdmin
  to requireApiAdmin supporting both Bearer token and session auth
- H5: Add input validation for instance-mode (whitelist) and sync-token
  (32-char minimum) in settings API
- M1: Add non-root user to l4-port-manager Dockerfile
- M5: Document Caddy admin API binding security rationale
- Document C2 (custom config injection) and H1 (SSRF via upstreams) as
  intentional admin features

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 12:13:50 +02:00

30 lines
1.1 KiB
TypeScript
Raw Blame History

import { NextRequest, NextResponse } from 'next/server';
import { requireApiAdmin, apiErrorResponse } from '@/src/lib/api-auth';
import { getAnalyticsSummary, INTERVAL_SECONDS } from '@/src/lib/analytics-db';
export async function GET(req: NextRequest) {
try {
await requireApiAdmin(req);
const { searchParams } = req.nextUrl;
const hostsParam = searchParams.get('hosts') ?? '';
const hosts = hostsParam ? hostsParam.split(',').filter(Boolean) : [];
const { from, to } = resolveRange(searchParams);
const data = await getAnalyticsSummary(from, to, hosts);
return NextResponse.json(data);
} catch (error) {
return apiErrorResponse(error);
}
}
function resolveRange(params: URLSearchParams): { from: number; to: number } {
const fromParam = params.get('from');
const toParam = params.get('to');
if (fromParam && toParam) {
return { from: parseInt(fromParam, 10), to: parseInt(toParam, 10) };
}
const interval = params.get('interval') ?? '1h';
const to = Math.floor(Date.now() / 1000);
const from = to - (INTERVAL_SECONDS[interval as keyof typeof INTERVAL_SECONDS] ?? INTERVAL_SECONDS['1h']);
return { from, to };
}
Reference in New Issue View Git Blame Copy Permalink