godoxy-yusing

starred/godoxy-yusing

Fork 0

mirror of https://github.com/yusing/godoxy.git synced 2026-04-10 10:53:36 +02:00

Commit Graph

Author	SHA1	Message	Date
yusing	41d0d28ca8	fix(api): confine file edits to rooted config paths and restrict unauthenticated local API binds Finish the file API traversal fix by rooting both GET and SET operations at the actual file-type directory instead of the process working directory. This blocks `..` escapes from `config/` and `config/middlewares/` while preserving valid in-root reads and writes. Also harden the optional unauthenticated local API listener so it only starts on loopback addresses (`localhost`, `127.0.0.1`, `::1`). This preserves same-host automation while preventing accidental exposure on wildcard, LAN, bridge, or public interfaces. Add regression tests for blocked traversal on GET and SET, valid in-root writes, and loopback-only local API address validation. Fix an unrelated config test cleanup panic so the touched package verification can run cleanly. Constraint: `GODOXY_LOCAL_API_ADDR` is documented for local automation and must remain usable without adding a new auth flow Constraint: File API behavior must keep valid config/provider/middleware edits working while blocking path escapes Rejected: Mirror the previous GET `OpenInRoot(".", ...)` approach in SET \| still allows escapes from `config/` to sibling paths under the working directory Rejected: Keep unauthenticated non-loopback local API binds and document the risk \| preserves a high-severity pre-auth network exposure Confidence: high Scope-risk: moderate Reversibility: clean Directive: Treat `LOCAL_API_ADDR` as same-host only; if non-loopback unauthenticated access is ever needed, gate it behind a separately named explicit insecure opt-in Tested: `go test -count=1 -ldflags='-checklinkname=0' ./internal/api/v1/file -run 'Test(Get\|Set)_PathTraversalBlocked' -v` Tested: `go test -count=1 -ldflags='-checklinkname=0' ./internal/config -run '^TestValidateLocalAPIAddr$\|^TestRouteValidateInboundMTLSProfile$' -v` Tested: `go test -count=1 -ldflags='-checklinkname=0' ./internal/api/... ./internal/config/...` Not-tested: End-to-end runtime verification of fsnotify reload behavior after a valid in-root provider edit	2026-04-09 16:44:01 +08:00
yusing	a541d75bb5	fix(api/file): prevent path traversal in file API Use os.OpenRoot to restrict file access to the application root, preventing directory traversal attacks through the file download endpoint. Also add test to verify path traversal attempts are blocked.	2026-03-19 10:50:58 +08:00

Author

SHA1

Message

Date

yusing

41d0d28ca8

fix(api): confine file edits to rooted config paths and restrict unauthenticated local API binds

Finish the file API traversal fix by rooting both GET and SET operations at the
actual file-type directory instead of the process working directory. This blocks
`..` escapes from `config/` and `config/middlewares/` while preserving valid
in-root reads and writes.

Also harden the optional unauthenticated local API listener so it only starts on
loopback addresses (`localhost`, `127.0.0.1`, `::1`). This preserves same-host
automation while preventing accidental exposure on wildcard, LAN, bridge, or
public interfaces.

Add regression tests for blocked traversal on GET and SET, valid in-root writes,
and loopback-only local API address validation. Fix an unrelated config test
cleanup panic so the touched package verification can run cleanly.

Constraint: `GODOXY_LOCAL_API_ADDR` is documented for local automation and must remain usable without adding a new auth flow

Constraint: File API behavior must keep valid config/provider/middleware edits working while blocking path escapes

Rejected: Mirror the previous GET `OpenInRoot(".", ...)` approach in SET | still allows escapes from `config/` to sibling paths under the working directory

Rejected: Keep unauthenticated non-loopback local API binds and document the risk | preserves a high-severity pre-auth network exposure

Confidence: high

Scope-risk: moderate

Reversibility: clean

Directive: Treat `LOCAL_API_ADDR` as same-host only; if non-loopback unauthenticated access is ever needed, gate it behind a separately named explicit insecure opt-in

Tested: `go test -count=1 -ldflags='-checklinkname=0' ./internal/api/v1/file -run 'Test(Get|Set)_PathTraversalBlocked' -v`

Tested: `go test -count=1 -ldflags='-checklinkname=0' ./internal/config -run '^TestValidateLocalAPIAddr$|^TestRouteValidateInboundMTLSProfile$' -v`

Tested: `go test -count=1 -ldflags='-checklinkname=0' ./internal/api/... ./internal/config/...`

Not-tested: End-to-end runtime verification of fsnotify reload behavior after a valid in-root provider edit

2026-04-09 16:44:01 +08:00

yusing

a541d75bb5

fix(api/file): prevent path traversal in file API

Use os.OpenRoot to restrict file access to the application root,
preventing directory traversal attacks through the file download endpoint.

Also add test to verify path traversal attempts are blocked.

2026-03-19 10:50:58 +08:00

2 Commits