akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
c136bc9247aa991f136ef8f8a8b101a9baf4e77d
caddy-proxy-manager/app/api/v1/settings/[group]/route.ts
fuomag9 5d0b4837d8 Security hardening: fix SQL injection, WAF bypass, placeholder injection, and more 
- C1: Replace all ClickHouse string interpolation with parameterized queries
  (query_params) to eliminate SQL injection in analytics endpoints
- C3: Strip Caddy placeholder patterns from redirect rules, protected paths,
  and Authentik auth endpoint to prevent config injection
- C4: Replace WAF custom directive blocklist with allowlist approach — only
  SecRule/SecAction/SecMarker/SecDefaultAction permitted; block ctl:ruleEngine
  and Include directives
- H2: Validate GCM authentication tag is exactly 16 bytes before decryption
- H3: Validate forward auth redirect URIs (scheme, no credentials) to prevent
  open redirects
- H4: Switch 11 analytics/WAF/geoip endpoints from session-only requireAdmin
  to requireApiAdmin supporting both Bearer token and session auth
- H5: Add input validation for instance-mode (whitelist) and sync-token
  (32-char minimum) in settings API
- M1: Add non-root user to l4-port-manager Dockerfile
- M5: Document Caddy admin API binding security rationale
- Document C2 (custom config injection) and H1 (SSRF via upstreams) as
  intentional admin features

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 12:13:50 +02:00

118 lines
4.3 KiB
TypeScript
Raw Blame History

import { NextRequest, NextResponse } from "next/server";
import { requireApiAdmin, apiErrorResponse } from "@/src/lib/api-auth";
import {
getGeneralSettings, saveGeneralSettings,
getCloudflareSettings, saveCloudflareSettings,
getAuthentikSettings, saveAuthentikSettings,
getMetricsSettings, saveMetricsSettings,
getLoggingSettings, saveLoggingSettings,
getDnsSettings, saveDnsSettings,
getUpstreamDnsResolutionSettings, saveUpstreamDnsResolutionSettings,
getGeoBlockSettings, saveGeoBlockSettings,
getWafSettings, saveWafSettings,
} from "@/src/lib/settings";
import { getInstanceMode, setInstanceMode, getSlaveMasterToken, setSlaveMasterToken } from "@/src/lib/instance-sync";
import { applyCaddyConfig } from "@/src/lib/caddy";
type SettingsHandler = {
get: () => Promise<unknown>;
save: (data: never) => Promise<void>;
applyCaddy?: boolean;
};
const SETTINGS_HANDLERS: Record<string, SettingsHandler> = {
general: { get: getGeneralSettings, save: saveGeneralSettings as (data: never) => Promise<void>, applyCaddy: true },
cloudflare: { get: getCloudflareSettings, save: saveCloudflareSettings as (data: never) => Promise<void>, applyCaddy: true },
authentik: { get: getAuthentikSettings, save: saveAuthentikSettings as (data: never) => Promise<void>, applyCaddy: true },
metrics: { get: getMetricsSettings, save: saveMetricsSettings as (data: never) => Promise<void>, applyCaddy: true },
logging: { get: getLoggingSettings, save: saveLoggingSettings as (data: never) => Promise<void>, applyCaddy: true },
dns: { get: getDnsSettings, save: saveDnsSettings as (data: never) => Promise<void>, applyCaddy: true },
"upstream-dns": { get: getUpstreamDnsResolutionSettings, save: saveUpstreamDnsResolutionSettings as (data: never) => Promise<void>, applyCaddy: true },
geoblock: { get: getGeoBlockSettings, save: saveGeoBlockSettings as (data: never) => Promise<void>, applyCaddy: true },
waf: { get: getWafSettings, save: saveWafSettings as (data: never) => Promise<void>, applyCaddy: true },
};
export async function GET(
request: NextRequest,
{ params }: { params: Promise<{ group: string }> }
) {
try {
await requireApiAdmin(request);
const { group } = await params;
if (group === "instance-mode") {
const mode = await getInstanceMode();
return NextResponse.json({ mode });
}
if (group === "sync-token") {
const token = await getSlaveMasterToken();
return NextResponse.json({ has_token: token !== null });
}
const handler = SETTINGS_HANDLERS[group];
if (!handler) {
return NextResponse.json({ error: "Unknown settings group" }, { status: 404 });
}
const settings = await handler.get();
return NextResponse.json(settings ?? {});
} catch (error) {
return apiErrorResponse(error);
}
}
export async function PUT(
request: NextRequest,
{ params }: { params: Promise<{ group: string }> }
) {
try {
await requireApiAdmin(request);
const { group } = await params;
const body = await request.json();
if (group === "instance-mode") {
const validModes = ["standalone", "master", "slave"];
if (!validModes.includes(body.mode)) {
return NextResponse.json(
{ error: `Invalid mode. Must be one of: ${validModes.join(", ")}` },
{ status: 400 }
);
}
await setInstanceMode(body.mode);
return NextResponse.json({ ok: true });
}
if (group === "sync-token") {
if (body.token !== null && body.token !== undefined &&
(typeof body.token !== "string" || body.token.length < 32)) {
return NextResponse.json(
{ error: "Token must be null or a string of at least 32 characters" },
{ status: 400 }
);
}
await setSlaveMasterToken(body.token ?? null);
return NextResponse.json({ ok: true });
}
const handler = SETTINGS_HANDLERS[group];
if (!handler) {
return NextResponse.json({ error: "Unknown settings group" }, { status: 404 });
}
await handler.save(body as never);
if (handler.applyCaddy) {
try {
await applyCaddyConfig();
} catch (e) {
console.error("Failed to apply Caddy config after settings update:", e);
}
}
return NextResponse.json({ ok: true });
} catch (error) {
return apiErrorResponse(error);
}
}
Reference in New Issue View Git Blame Copy Permalink