Fix authentication bypass and XSS/HTML injection vulnerabilities #17
No reviewers
Labels
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
SquareCows/pages-server!17
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "fix/security-auth-bypass-xss"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Addresses three issues from the security review (v0.3.4):
Auth bypass (High, CWE-287): password-protected sites could be accessed
with any non-empty cookie when authSecretKey was unset (the default).
New() now auto-generates a strong random signing key at startup, and
verifyAuthCookie/verifyBranchAuthCookie fail closed when no key is
present. Cookies are always signed (removed the unsigned fallback).
Stored XSS via .redirects (Medium, CWE-79): formatRedirectList now
HTML-escapes rule values before rendering the /LOAD_REDIRECTS page.
HTML injection (Medium, CWE-79): username, repository, custom_domain,
and error strings are HTML-escaped across the login pages, the default
error page, and the /LOAD_REDIRECTS pages.
Adds security_test.go with regression tests for all three issues and
updates the CHANGELOG, README, and docs. Uses only the standard library
(html.EscapeString, crypto/rand) to remain Yaegi-compatible.
Co-Authored-By: Claude Fable 5 noreply@anthropic.com