fix: hide scroll-indicator on mobile to prevent overlap with hero terminal #85

Merged
rafaga21 merged 1 commits from fix/policy-container-width into master 2026-06-14 07:16:46 -04:00
Collaborator

Security fixes applied

Phase 1: Auth bypass (CRITICAL)

  • ApiController::register() now requires authentication (admin+)
  • Only super_admins can create admin users; default role changed from admin to operator
  • Added role validation rule

Phase 2: Mass assignment (HIGH)

  • Added $fillable whitelist with filterData() method in Server model
  • Prevents arbitrary column manipulation via insert()/update() from API

Phase 3: XSS (CRITICAL)

  • escapeHtml() on server names in sidebar JS (main.php)
  • JSON_HEX_TAG flag on 3 json_encode() calls embedded in <script> tags
    • views/servers/show.php, views/dashboard/index.php, views/servers/services.php

Phase 4: IDOR (HIGH)

  • Added canView() checks to TerminalController::history() and clearHistory()

Phase 5: Command injection (CRITICAL)

  • escapeshellarg() on $domains and $email in certbot SSL action
  • Service name sanitization in ServerController::servicesAction() (was missing vs restartService())
  • Regex-based command blocklist replaces substring matching in both Terminal and API controllers
  • Added shutdown, reboot, halt, poweroff to blocklist
  • Exception messages suppressed in command execution endpoints

Phase 6: Session/config hardening (HIGH)

  • SESSION_SECURE=true (was false on HTTPS deploy)
  • SESSION_SAME_SITE=Strict (was Lax)
  • .env permissions changed to 640 (nginx:nginx)
  • Logout changed from GET to POST with CSRF protection

Phase 7: Rate limiting (MEDIUM)

  • New rate_limits database table (migration 015)
  • RateLimitMiddleware rewritten to use DB instead of session storage
  • Rate limiting applied to POST /api/auth/login and POST /api/auth/register
  • Probabilistic stale-entry cleanup (5% chance per request)
## Security fixes applied ### Phase 1: Auth bypass (CRITICAL) - `ApiController::register()` now requires authentication (admin+) - Only super_admins can create admin users; default role changed from `admin` to `operator` - Added `role` validation rule ### Phase 2: Mass assignment (HIGH) - Added `$fillable` whitelist with `filterData()` method in `Server` model - Prevents arbitrary column manipulation via `insert()`/`update()` from API ### Phase 3: XSS (CRITICAL) - `escapeHtml()` on server names in sidebar JS (`main.php`) - `JSON_HEX_TAG` flag on 3 `json_encode()` calls embedded in `<script>` tags - `views/servers/show.php`, `views/dashboard/index.php`, `views/servers/services.php` ### Phase 4: IDOR (HIGH) - Added `canView()` checks to `TerminalController::history()` and `clearHistory()` ### Phase 5: Command injection (CRITICAL) - `escapeshellarg()` on `$domains` and `$email` in certbot SSL action - Service name sanitization in `ServerController::servicesAction()` (was missing vs `restartService()`) - Regex-based command blocklist replaces substring matching in both Terminal and API controllers - Added `shutdown`, `reboot`, `halt`, `poweroff` to blocklist - Exception messages suppressed in command execution endpoints ### Phase 6: Session/config hardening (HIGH) - `SESSION_SECURE=true` (was `false` on HTTPS deploy) - `SESSION_SAME_SITE=Strict` (was `Lax`) - `.env` permissions changed to `640` (`nginx:nginx`) - Logout changed from GET to POST with CSRF protection ### Phase 7: Rate limiting (MEDIUM) - New `rate_limits` database table (migration `015`) - `RateLimitMiddleware` rewritten to use DB instead of session storage - Rate limiting applied to `POST /api/auth/login` and `POST /api/auth/register` - Probabilistic stale-entry cleanup (5% chance per request)
agent added 1 commit 2026-06-14 07:16:12 -04:00
rafaga21 approved these changes 2026-06-14 07:16:41 -04:00
rafaga21 merged commit 40748d7e5f into master 2026-06-14 07:16:46 -04:00
rafaga21 deleted branch fix/policy-container-width 2026-06-14 07:16:47 -04:00
Sign in to join this conversation.
No Reviewers
No Label
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: devlab/server-manager#85