starred/godoxy-yusing
1
0
Fork 0
mirror of https://github.com/yusing/godoxy.git synced 2026-04-18 06:29:42 +02:00
Code Issues 18 Packages Projects Releases 10 Wiki Activity

fix(api): confine file edits to rooted config paths and restrict unauthenticated local API binds

Browse Source 
Finish the file API traversal fix by rooting both GET and SET operations at the
actual file-type directory instead of the process working directory. This blocks
`..` escapes from `config/` and `config/middlewares/` while preserving valid
in-root reads and writes.

Also harden the optional unauthenticated local API listener so it only starts on
loopback addresses (`localhost`, `127.0.0.1`, `::1`). This preserves same-host
automation while preventing accidental exposure on wildcard, LAN, bridge, or
public interfaces.

Add regression tests for blocked traversal on GET and SET, valid in-root writes,
and loopback-only local API address validation. Fix an unrelated config test
cleanup panic so the touched package verification can run cleanly.

Constraint: `GODOXY_LOCAL_API_ADDR` is documented for local automation and must remain usable without adding a new auth flow

Constraint: File API behavior must keep valid config/provider/middleware edits working while blocking path escapes

Rejected: Mirror the previous GET `OpenInRoot(".", ...)` approach in SET | still allows escapes from `config/` to sibling paths under the working directory

Rejected: Keep unauthenticated non-loopback local API binds and document the risk | preserves a high-severity pre-auth network exposure

Confidence: high

Scope-risk: moderate

Reversibility: clean

Directive: Treat `LOCAL_API_ADDR` as same-host only; if non-loopback unauthenticated access is ever needed, gate it behind a separately named explicit insecure opt-in

Tested: `go test -count=1 -ldflags='-checklinkname=0' ./internal/api/v1/file -run 'Test(Get|Set)_PathTraversalBlocked' -v`

Tested: `go test -count=1 -ldflags='-checklinkname=0' ./internal/config -run '^TestValidateLocalAPIAddr$|^TestRouteValidateInboundMTLSProfile$' -v`

Tested: `go test -count=1 -ldflags='-checklinkname=0' ./internal/api/... ./internal/config/...`

Not-tested: End-to-end runtime verification of fsnotify reload behavior after a valid in-root provider edit
This commit is contained in:
yusing
2026-04-09 16:44:01 +08:00
parent 1c091bbfee
commit 41d0d28ca8
5 changed files with 159 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
internal/api/v1/README.md
View File

@@ -115,7 +115,7 @@ No dedicated metrics exposed by handlers. Request metrics collected by middlewar
- All endpoints (except `/api/v1/version`) require authentication
- Input validation using Gin binding tags
- Path traversal prevention in file operations
- File read/write handlers are rooted per file type (`config/` or `config/middlewares/`) to prevent traversal into sibling paths
- WebSocket connections use same auth middleware as HTTP
## Failure Modes and Recovery
@@ -195,5 +195,3 @@ func listContainers() ([]Container, error) {
```bash
curl http://localhost:8888/health
```
)