x/platform
1
0
Fork 0
Code Issues Pull requests Projects Releases 12 Packages Wiki Activity Actions
12 releases 12 tags
  • v0.5.6 0251ae8bea

    v0.5.6 Stable

    x released this 2026-02-23 18:02:48 +00:00 | 4 commits to main since this release

    Signed by x
    GPG key ID: A14ACA8AB45A9C27

    VSKI v0.5.6

    Security Release

    This release addresses multiple security vulnerabilities identified in a security audit. All users are strongly encouraged to upgrade.

    Security Fixes

    Critical

    • Path Traversal Prevention - Database names from x-dbname header are now sanitized to only allow alphanumeric characters, underscores, and hyphens. This prevents path traversal attacks that could access arbitrary files.

    High

    • SQL Identifier Escaping - SqlEscapeIdentifier() now properly escapes double quotes by doubling them, preventing potential SQL injection via identifier names.

    • CORS Origin Validation - WebSocket connections (realtime and workflow) now validate the Origin header against an allowlist. Configure via ALLOWED_ORIGINS environment variable.

    • JWT Secret Warning - In production mode (when DEV is not set to true), a red warning is now printed if JWT_SECRET is not configured.

    • Rate Limiting on Auth Endpoints - Authentication endpoints now have configurable rate limiting to prevent brute force attacks:

      • Default: 5 attempts per hour per email
      • Default: 24 attempts per 24 hours per email
      • Returns HTTP 429 with retry_after when exceeded

    Medium

    • User Enumeration Fix - Authentication error messages are now generic ("Unauthorized") to prevent user enumeration attacks.

    New Environment Variables

    Variable Default Description
    ALLOWED_ORIGINS * Comma-separated list of allowed CORS origins. Use * for all origins (not recommended for production)
    AUTH_RATE_LIMIT_PER_HOUR 5 Max auth attempts per email per hour
    AUTH_RATE_LIMIT_PER_DAY 24 Max auth attempts per email per 24 hours

    Technical Details

    Files Changed

    • internal/config/config.go - Added AllowedOrigins, AuthRateLimitPerHour, AuthRateLimitPerDay config options and production warnings
    • internal/db/db.go - Added sanitizeDBName() function to prevent path traversal
    • internal/middleware/middleware.go - Added RateLimiter, RateLimitMiddleware, updated CORSMiddleware to accept allowed origins, fixed user enumeration
    • internal/utils/query.go - Improved SqlEscapeIdentifier() to escape double quotes
    • internal/realtime/gateway.go - Added origin validation for WebSocket connections
    • internal/workflow/gateway.go - Added origin validation for WebSocket connections
    • internal/app/bootstrap.go - Wired up rate limiting and CORS with config

    Usage Examples

    # Production configuration
JWT_SECRET=your-secure-random-string-at-least-32-chars
ALLOWED_ORIGINS=https://app.example.com,https://admin.example.com
AUTH_RATE_LIMIT_PER_HOUR=5
AUTH_RATE_LIMIT_PER_DAY=24

# Development (defaults)
DEV=true
# ALLOWED_ORIGINS defaults to * (all origins)
# JWT_SECRET defaults to dev-secret (with warning)

    Changelog

    v0.5.6 (2026-02-23)

    Security

    • Fixed path traversal vulnerability in database name handling
    • Fixed SQL injection via unescaped double quotes in identifiers
    • Added WebSocket origin validation (CSWSH prevention)
    • Added rate limiting on authentication endpoints
    • Fixed user enumeration via authentication error messages

    Added

    • ALLOWED_ORIGINS environment variable for CORS configuration
    • AUTH_RATE_LIMIT_PER_HOUR environment variable (default: 5)
    • AUTH_RATE_LIMIT_PER_DAY environment variable (default: 24)
    • Production warning for missing JWT_SECRET
    • Production warning for ALLOWED_ORIGINS=*

    Changed

    • SqlEscapeIdentifier() now properly escapes double quotes
    • CORSMiddleware() now accepts allowed origins parameter
    • WebSocket gateways now validate Origin header
    • Generic "Unauthorized" error message for auth failures
    Downloads