• v0.3.4 c02b5abe2d

    v0.3.4 Stable

    ric released this 2026-07-10 19:40:39 +00:00 | 0 commits to main since this release

    Security

    This release fixes three vulnerabilities identified in a security review. Upgrade is recommended for all deployments using
    password protection.

    • Authentication Bypass (High, CWE-287): Password-protected sites could be accessed with any non-empty cookie when
      authSecretKey was not configured (the default).
      • verifyAuthCookie() / verifyBranchAuthCookie() no longer accept any non-empty cookie; with no secret key they now fail
        closed
        .
      • New() auto-generates a strong random authSecretKey (32 bytes) at startup when none is configured, so cookie signatures
        are always enforced (secure by default).
      • Cookies are always signed (removed the unsigned fallback).
      • A startup warning recommends setting authSecretKey explicitly for stable sessions across restarts and multi-instance/HA
        deployments.
    • Stored XSS via .redirects (Medium, CWE-79): formatRedirectList() now HTML-escapes rule values on the /LOAD_REDIRECTS
      page.
    • HTML Injection (Medium, CWE-79): username, repository, custom_domain, and error strings are now escaped via
      html.EscapeString() in the login pages, the default error page, and the /LOAD_REDIRECTS pages.

    All fixes use only the Go standard library to remain Yaegi-compatible.

    Tests

    • Added security_test.go with regression tests for all three issues: auth bypass fails closed, key auto-generation, forged /
      tampered / cross-repo / wrong-key cookie rejection, and HTML escaping in the redirect list, login pages, and error page.

    Upgrade Notes

    • If you use password protection and have not set authSecretKey, a random key is now generated at each startup. Existing
      cookies are invalidated on restart and separate instances won't share sessions — set authSecretKey explicitly for
      stable/multi-instance behaviour.
    Downloads