Skip to content

v0.1.1 - Security patch

Choose a tag to compare

@0xciph3r 0xciph3r released this 22 May 09:35
b165f73

Security Fixes

Terminal injection via gRPC responses (pkg/grpc)

  • Strip ANSI/VT escape sequences (CSI, OSC including ESC-backslash terminator) and non-printable control characters from all gRPC string responses before they reach the terminal
  • Rune-based truncation avoids splitting multi-byte UTF-8 sequences; single []rune allocation shared between sanitization and length cap
  • Home directory path redacted from error messages using a path-boundary-aware check (prevents sibling-path over-matching)

Macaroon leak scan expanded (pkg/checks)

  • Replaced 4 hardcoded directory globs with a filepath.WalkDir scan over $HOME up to 4 levels deep
  • Added isInsideDir() using filepath.Rel to correctly exclude the LND data directory without matching sibling paths (e.g. /data/lnd2)
  • Directories in skipDirs (node_modules, .git, vendor, etc.) are skipped to keep scans fast
  • WalkDir error callback now only returns SkipDir for directory errors, not file errors
  • Added 6 deterministic tests using a temp $HOME to cover depth limiting, skip-dirs, sibling-dir edge case, and stray macaroon detection

What's Changed

  • security: sanitize gRPC response strings and expand macaroon leak scan by @NonsoAmadi10 in #1

New Contributors

  • @NonsoAmadi10 made their first contribution in #1

Full Changelog: v0.1.0...v0.1.1