security: fix auth bypass, XSS, IDOR, command injection, session hardening, rate limiting
- Phase 1: Require authentication for API register endpoint; restrict role creation - Phase 2: Add $fillable whitelist to Server model to prevent mass assignment - Phase 3: Fix XSS via escapeHtml in sidebar, JSON_HEX_TAG in script embeds - Phase 4: Add canView() checks to TerminalController history/clearHistory - Phase 5: escapeshellarg() on certbot params, sanitize service names, regex-based command blocklist, suppress exception messages - Phase 6: SESSION_SECURE=true, SameSite=Strict, logout via POST+CSRF, chmod 640 .env - Phase 7: DB-based rate limiting replacing session-based, applied to API login/register
This commit is contained in:
@@ -31,7 +31,7 @@ $router->get('/login', [AuthController::class, 'loginForm']);
|
||||
$router->post('/login', [AuthController::class, 'login'], [CSRFMiddleware::class, RateLimitMiddleware::class]);
|
||||
$router->get('/register', [AuthController::class, 'registerForm']);
|
||||
$router->post('/register', [AuthController::class, 'register'], [CSRFMiddleware::class]);
|
||||
$router->get('/logout', [AuthController::class, 'logout']);
|
||||
$router->post('/logout', [AuthController::class, 'logout'], [CSRFMiddleware::class]);
|
||||
|
||||
$router->get('/profile', [AuthController::class, 'profile'], [AuthMiddleware::class]);
|
||||
$router->post('/profile', [AuthController::class, 'updateProfile'], [AuthMiddleware::class, CSRFMiddleware::class]);
|
||||
@@ -115,8 +115,8 @@ $router->put('/api/servers/:id', [ApiController::class, 'serverUpdate']);
|
||||
$router->delete('/api/servers/:id', [ApiController::class, 'serverDelete']);
|
||||
$router->get('/api/servers/:id/metrics', [ApiController::class, 'serverMetrics']);
|
||||
$router->post('/api/servers/:id/execute', [ApiController::class, 'executeCommand']);
|
||||
$router->post('/api/auth/login', [ApiController::class, 'login']);
|
||||
$router->post('/api/auth/register', [ApiController::class, 'register']);
|
||||
$router->post('/api/auth/login', [ApiController::class, 'login'], [RateLimitMiddleware::class]);
|
||||
$router->post('/api/auth/register', [ApiController::class, 'register'], [RateLimitMiddleware::class]);
|
||||
$router->get('/api/app-version', [ApiController::class, 'appVersion']);
|
||||
$router->get('/api/servers/:id/services', [ApiController::class, 'serverServices']);
|
||||
$router->post('/api/servers/:id/reboot', [ApiController::class, 'serverReboot']);
|
||||
|
||||
Reference in New Issue
Block a user