Fix authentication bypass and XSS/HTML injection vulnerabilities #17

Merged
ric merged 1 commit from fix/security-auth-bypass-xss into main 2026-07-10 19:37:31 +00:00
Owner

Addresses three issues from the security review (v0.3.4):

  • Auth bypass (High, CWE-287): password-protected sites could be accessed
    with any non-empty cookie when authSecretKey was unset (the default).
    New() now auto-generates a strong random signing key at startup, and
    verifyAuthCookie/verifyBranchAuthCookie fail closed when no key is
    present. Cookies are always signed (removed the unsigned fallback).

  • Stored XSS via .redirects (Medium, CWE-79): formatRedirectList now
    HTML-escapes rule values before rendering the /LOAD_REDIRECTS page.

  • HTML injection (Medium, CWE-79): username, repository, custom_domain,
    and error strings are HTML-escaped across the login pages, the default
    error page, and the /LOAD_REDIRECTS pages.

Adds security_test.go with regression tests for all three issues and
updates the CHANGELOG, README, and docs. Uses only the standard library
(html.EscapeString, crypto/rand) to remain Yaegi-compatible.

Co-Authored-By: Claude Fable 5 noreply@anthropic.com

Addresses three issues from the security review (v0.3.4): - Auth bypass (High, CWE-287): password-protected sites could be accessed with any non-empty cookie when authSecretKey was unset (the default). New() now auto-generates a strong random signing key at startup, and verifyAuthCookie/verifyBranchAuthCookie fail closed when no key is present. Cookies are always signed (removed the unsigned fallback). - Stored XSS via .redirects (Medium, CWE-79): formatRedirectList now HTML-escapes rule values before rendering the /LOAD_REDIRECTS page. - HTML injection (Medium, CWE-79): username, repository, custom_domain, and error strings are HTML-escaped across the login pages, the default error page, and the /LOAD_REDIRECTS pages. Adds security_test.go with regression tests for all three issues and updates the CHANGELOG, README, and docs. Uses only the standard library (html.EscapeString, crypto/rand) to remain Yaegi-compatible. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Addresses three issues from the security review (v0.3.4):

- Auth bypass (High, CWE-287): password-protected sites could be accessed
  with any non-empty cookie when authSecretKey was unset (the default).
  New() now auto-generates a strong random signing key at startup, and
  verifyAuthCookie/verifyBranchAuthCookie fail closed when no key is
  present. Cookies are always signed (removed the unsigned fallback).

- Stored XSS via .redirects (Medium, CWE-79): formatRedirectList now
  HTML-escapes rule values before rendering the /LOAD_REDIRECTS page.

- HTML injection (Medium, CWE-79): username, repository, custom_domain,
  and error strings are HTML-escaped across the login pages, the default
  error page, and the /LOAD_REDIRECTS pages.

Adds security_test.go with regression tests for all three issues and
updates the CHANGELOG, README, and docs. Uses only the standard library
(html.EscapeString, crypto/rand) to remain Yaegi-compatible.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
ric merged commit c02b5abe2d into main 2026-07-10 19:37:31 +00:00
ric deleted branch fix/security-auth-bypass-xss 2026-07-10 19:37:31 +00:00
Sign in to join this conversation.
No reviewers
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
SquareCows/pages-server!17
No description provided.