v0.1.1 - Security patch
Security Fixes
Terminal injection via gRPC responses (pkg/grpc)
- Strip ANSI/VT escape sequences (CSI, OSC including ESC-backslash terminator) and non-printable control characters from all gRPC string responses before they reach the terminal
- Rune-based truncation avoids splitting multi-byte UTF-8 sequences; single
[]runeallocation shared between sanitization and length cap - Home directory path redacted from error messages using a path-boundary-aware check (prevents sibling-path over-matching)
Macaroon leak scan expanded (pkg/checks)
- Replaced 4 hardcoded directory globs with a
filepath.WalkDirscan over$HOMEup to 4 levels deep - Added
isInsideDir()usingfilepath.Relto correctly exclude the LND data directory without matching sibling paths (e.g./data/lnd2) - Directories in
skipDirs(node_modules, .git, vendor, etc.) are skipped to keep scans fast - WalkDir error callback now only returns
SkipDirfor directory errors, not file errors - Added 6 deterministic tests using a temp $HOME to cover depth limiting, skip-dirs, sibling-dir edge case, and stray macaroon detection
What's Changed
- security: sanitize gRPC response strings and expand macaroon leak scan by @NonsoAmadi10 in #1
New Contributors
- @NonsoAmadi10 made their first contribution in #1
Full Changelog: v0.1.0...v0.1.1