security: fix auth bypass, XSS, IDOR, command injection, session hardening, rate limiting
- Phase 1: Require authentication for API register endpoint; restrict role creation - Phase 2: Add $fillable whitelist to Server model to prevent mass assignment - Phase 3: Fix XSS via escapeHtml in sidebar, JSON_HEX_TAG in script embeds - Phase 4: Add canView() checks to TerminalController history/clearHistory - Phase 5: escapeshellarg() on certbot params, sanitize service names, regex-based command blocklist, suppress exception messages - Phase 6: SESSION_SECURE=true, SameSite=Strict, logout via POST+CSRF, chmod 640 .env - Phase 7: DB-based rate limiting replacing session-based, applied to API login/register
This commit is contained in:
@@ -47,7 +47,7 @@ $totalPages = max(1, ceil(count($services) / $perPage));
|
||||
</div>
|
||||
|
||||
<script>
|
||||
const allServices = <?= json_encode($services) ?>;
|
||||
const allServices = <?= json_encode($services, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES) ?>;
|
||||
const perPage = <?= $perPage ?>;
|
||||
|
||||
function applyFilters() {
|
||||
|
||||
@@ -371,7 +371,7 @@ $canManage = $server_role === 'owner' || $server_role === 'manager';
|
||||
|
||||
<script src="https://cdn.jsdelivr.net/npm/chart.js@4.4.7/dist/chart.umd.min.js"></script>
|
||||
<script>
|
||||
const historicalData = <?= json_encode($historicalMetrics) ?>;
|
||||
const historicalData = <?= json_encode($historicalMetrics, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES) ?>;
|
||||
|
||||
let metricsChart = null;
|
||||
|
||||
|
||||
Reference in New Issue
Block a user