dashcaddy

sami7777/dashcaddy

Fork 0

Commit Graph

Author	SHA1	Message	Date
Sami	59b6d7d360	Fix 16 HIGH/MEDIUM security bugs across API HIGH fixes: - TOTP disable now requires valid code verification - TOTP secret removed from plaintext file storage - Container ID validated before update/check-update/logs operations - DNS server parameter restricted to configured servers (SSRF prevention) - Backup export no longer includes encryption key - Backup restore of sensitive files requires TOTP re-authentication MEDIUM fixes: - Session cookie Secure flag added - Caddy reload errors no longer leaked to client - saveConfig uses atomic locked updates via configStateManager - Log file path traversal prevented via symlink resolution - Credential cache entries now expire after 5 minutes - _httpFetch enforces 10MB response size limit - External URL path injection into Caddyfile blocked - Custom volume host paths validated against allowed roots - Error logs endpoint no longer returns stack traces - Logo delete path traversal prevented via path.basename() Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-07 00:15:28 -08:00
Sami	3a6d2ce93d	Fix input validation and error handling across API endpoints - Deploy endpoint: validate appId, config, and subdomain before use (prevents 500 crash on empty body) - Container ops: return 404 instead of 500 for non-existent containers - Update-subdomain: require oldSubdomain/newSubdomain fields (prevents false 200 with undefined values) - Global error handler: catch-all that never leaks stack traces or internal paths - API 404 catch-all: return JSON instead of HTML for unmatched /api/* routes Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-06 20:21:21 -08:00
Sami	f61e85d9a7	Initial commit: DashCaddy v1.0 Full codebase including API server (32 modules + routes), dashboard frontend, DashCA certificate distribution, installer script, and deployment skills.	2026-03-05 02:26:12 -08:00

Author

SHA1

Message

Date

Sami

59b6d7d360

Fix 16 HIGH/MEDIUM security bugs across API

HIGH fixes:
- TOTP disable now requires valid code verification
- TOTP secret removed from plaintext file storage
- Container ID validated before update/check-update/logs operations
- DNS server parameter restricted to configured servers (SSRF prevention)
- Backup export no longer includes encryption key
- Backup restore of sensitive files requires TOTP re-authentication

MEDIUM fixes:
- Session cookie Secure flag added
- Caddy reload errors no longer leaked to client
- saveConfig uses atomic locked updates via configStateManager
- Log file path traversal prevented via symlink resolution
- Credential cache entries now expire after 5 minutes
- _httpFetch enforces 10MB response size limit
- External URL path injection into Caddyfile blocked
- Custom volume host paths validated against allowed roots
- Error logs endpoint no longer returns stack traces
- Logo delete path traversal prevented via path.basename()

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-07 00:15:28 -08:00

Sami

3a6d2ce93d

Fix input validation and error handling across API endpoints

- Deploy endpoint: validate appId, config, and subdomain before use (prevents 500 crash on empty body)
- Container ops: return 404 instead of 500 for non-existent containers
- Update-subdomain: require oldSubdomain/newSubdomain fields (prevents false 200 with undefined values)
- Global error handler: catch-all that never leaks stack traces or internal paths
- API 404 catch-all: return JSON instead of HTML for unmatched /api/* routes

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-06 20:21:21 -08:00

Sami

f61e85d9a7

Initial commit: DashCaddy v1.0

Full codebase including API server (32 modules + routes), dashboard frontend,
DashCA certificate distribution, installer script, and deployment skills.

2026-03-05 02:26:12 -08:00

3 Commits