Audit of the backend attack surface and fixes for the web-reachable
CRITICAL/HIGH issues. Adds back/shared/security.ts with centralized
hardening helpers (shellEscape, assertSafeDependenceName,
SUBSCRIPTION_PATTERNS, safeCompare, isSafeSshConfigValue).
- Subscription fields (url/branch/whitelist/blacklist/extensions/proxy)
are now shell-escaped before reaching spawn() and validated with strict
Joi patterns at the API, closing OS command injection and the
downstream shell eval/git-arg-injection paths.
- Dependency names are validated before interpolation into
pnpm/pip/apk/apt commands (incl. the embedded Python source).
- SSH config generation rejects newline/metachar injection in host/proxy
(prevents injected ProxyCommand execution).
- ConfigService.getFile resolves the real path before containment check,
fixing data/scripts/../db traversal that leaked the SQLite DB.
- /configs/save containment check fixed (sibling-dir write bypass).
- Script/env uploads use path.basename, preventing arbitrary file write
(crontab.list/env.sh overwrite -> RCE) via multer originalname.
- JWT secret is generated and persisted per-install instead of the public
default 'whyour-secret'; production refuses to boot without one.
- Token comparison is now constant-time (safeCompare).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* Initial plan
* Fix SSH global private key loading order by using zzz_ prefix
Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
* Use tilde (~) prefix for global SSH config to ensure it loads last
Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
* Initial plan
* Add backend support for global SSH keys
Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
* Add frontend UI for global SSH keys management
Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
* Add SshKeyModel to database initialization
Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
* Add SSH config generation for global SSH keys
Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
* Add internationalization support for SSH key management UI
Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
* Simplify to single global SSH key in system settings
Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
