Audit of the backend attack surface and fixes for the web-reachable
CRITICAL/HIGH issues. Adds back/shared/security.ts with centralized
hardening helpers (shellEscape, assertSafeDependenceName,
SUBSCRIPTION_PATTERNS, safeCompare, isSafeSshConfigValue).
- Subscription fields (url/branch/whitelist/blacklist/extensions/proxy)
are now shell-escaped before reaching spawn() and validated with strict
Joi patterns at the API, closing OS command injection and the
downstream shell eval/git-arg-injection paths.
- Dependency names are validated before interpolation into
pnpm/pip/apk/apt commands (incl. the embedded Python source).
- SSH config generation rejects newline/metachar injection in host/proxy
(prevents injected ProxyCommand execution).
- ConfigService.getFile resolves the real path before containment check,
fixing data/scripts/../db traversal that leaked the SQLite DB.
- /configs/save containment check fixed (sibling-dir write bypass).
- Script/env uploads use path.basename, preventing arbitrary file write
(crontab.list/env.sh overwrite -> RCE) via multer originalname.
- JWT secret is generated and persisted per-install instead of the public
default 'whyour-secret'; production refuses to boot without one.
- Token comparison is now constant-time (safeCompare).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
