security: fix auth bypass, XSS, IDOR, command injection, session hardening, rate limiting #86

Merged
rafaga21 merged 1 commits from fix/policy-container-width into master 2026-06-14 07:38:52 -04:00
Collaborator

Security fixes applied

Phase 1: Auth bypass (CRITICAL)

  • ApiController::register() now requires authentication (admin+)
  • Only super_admins can create admin users; default role changed from admin to operator
  • Added role validation rule

Phase 2: Mass assignment (HIGH)

  • Added $fillable whitelist with filterData() method in Server model
  • Prevents arbitrary column manipulation via insert()/update() from API

Phase 3: XSS (CRITICAL)

  • escapeHtml() on server names in sidebar JS (main.php)
  • JSON_HEX_TAG flag on 3 json_encode() calls embedded in <script> tags

Phase 4: IDOR (HIGH)

  • Added canView() checks to TerminalController::history() and clearHistory()

Phase 5: Command injection (CRITICAL)

  • escapeshellarg() on $domains and $email in certbot SSL action
  • Service name sanitization in ServerController::servicesAction()
  • Regex-based command blocklist in both Terminal and API controllers
  • Exception messages suppressed in command execution endpoints

Phase 6: Session/config hardening (HIGH)

  • SESSION_SECURE=true, SESSION_SAME_SITE=Strict, .env chmod 640
  • Logout changed from GET to POST with CSRF protection

Phase 7: Rate limiting (MEDIUM)

  • New rate_limits table (migration 015) with DB-based middleware
  • Applied to POST /api/auth/login and POST /api/auth/register

12 files changed, 147 additions, 38 deletions

## Security fixes applied ### Phase 1: Auth bypass (CRITICAL) - `ApiController::register()` now requires authentication (admin+) - Only super_admins can create admin users; default role changed from `admin` to `operator` - Added `role` validation rule ### Phase 2: Mass assignment (HIGH) - Added `$fillable` whitelist with `filterData()` method in `Server` model - Prevents arbitrary column manipulation via `insert()`/`update()` from API ### Phase 3: XSS (CRITICAL) - `escapeHtml()` on server names in sidebar JS (`main.php`) - `JSON_HEX_TAG` flag on 3 `json_encode()` calls embedded in `<script>` tags ### Phase 4: IDOR (HIGH) - Added `canView()` checks to `TerminalController::history()` and `clearHistory()` ### Phase 5: Command injection (CRITICAL) - `escapeshellarg()` on `$domains` and `$email` in certbot SSL action - Service name sanitization in `ServerController::servicesAction()` - Regex-based command blocklist in both Terminal and API controllers - Exception messages suppressed in command execution endpoints ### Phase 6: Session/config hardening (HIGH) - `SESSION_SECURE=true`, `SESSION_SAME_SITE=Strict`, `.env` chmod 640 - Logout changed from GET to POST with CSRF protection ### Phase 7: Rate limiting (MEDIUM) - New `rate_limits` table (migration `015`) with DB-based middleware - Applied to `POST /api/auth/login` and `POST /api/auth/register` **12 files changed, 147 additions, 38 deletions**
agent added 1 commit 2026-06-14 07:32:38 -04:00
- Phase 1: Require authentication for API register endpoint; restrict role creation
- Phase 2: Add $fillable whitelist to Server model to prevent mass assignment
- Phase 3: Fix XSS via escapeHtml in sidebar, JSON_HEX_TAG in script embeds
- Phase 4: Add canView() checks to TerminalController history/clearHistory
- Phase 5: escapeshellarg() on certbot params, sanitize service names, regex-based command blocklist, suppress exception messages
- Phase 6: SESSION_SECURE=true, SameSite=Strict, logout via POST+CSRF, chmod 640 .env
- Phase 7: DB-based rate limiting replacing session-based, applied to API login/register
rafaga21 approved these changes 2026-06-14 07:38:48 -04:00
rafaga21 merged commit 7c74e2316e into master 2026-06-14 07:38:52 -04:00
rafaga21 deleted branch fix/policy-container-width 2026-06-14 07:38:54 -04:00
Sign in to join this conversation.
No Reviewers
No Label
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: devlab/server-manager#86