security(headers): CSP, escapeHtml quote fix, JSON config injection#11
Open
BRlin-o wants to merge 4 commits into
Open
security(headers): CSP, escapeHtml quote fix, JSON config injection#11BRlin-o wants to merge 4 commits into
BRlin-o wants to merge 4 commits into
Conversation
Network surface reduction (Phase 0): - Bind 127.0.0.1 by default; add HOST env for opt-in network access - Cap request body at 50 MB (CCXRAY_MAX_BODY_MB); return 413 on exceed - Per-IP SSE connection limit (default 8, CCXRAY_SSE_MAX_PER_IP) - HTTP timeouts: headersTimeout=60s, requestTimeout=120s, keepAliveTimeout=5s - Sanitize ANSI/control chars in logged request URLs (log injection) - Extract readBodyCapped() helper for safe body accumulation Filesystem hardening (Phase 1): - Log files 0o600, log directories 0o700; chmod on existing paths - safeJoin() rejects path traversal (../, /, \, null bytes) - Hub lockfile and log written with 0o600 Hub localhost-only + validation (Phase 2): - /_api/hub/* restricted to loopback IPs (127.0.0.1, ::1, ::ffff:127.0.0.1) - /_api/health remains open (pure liveness, no sensitive info) - Register/unregister validate pid (int, 0 < n ≤ 2²²) and cwd (string, ≤ 4096) - Hub body cap 1 KB for control endpoints BREAKING: Server now binds 127.0.0.1 only. Set HOST=0.0.0.0 for LAN access. Closes lis186#7 (partial) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Bumps basic-ftp to patched version, resolving HIGH severity CRLF injection in @aws-sdk transitive dependency. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Replace === with crypto.timingSafeEqual for bearer token comparison; constant-time even on length mismatch - Remove ?token= query param auth (leaks in browser history, Referer, logs) - Add POST /login + POST /logout with HttpOnly cookie session (SameSite=Strict, Secure on non-loopback, 7-day TTL) - HTML Accept requests get 302 to /login.html; API requests get 401 JSON - Add login.html / login.js — minimal token input form - Per-process HMAC secret (sessions invalidate on restart — acceptable for a local dev tool) BREAKING: ?token=XXX query auth removed. Use Authorization: Bearer header (CLI/curl) or the new /login.html flow (browser). Closes lis186#7 (partial) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add Content-Security-Policy, X-Content-Type-Options: nosniff, Referrer-Policy: no-referrer to all responses via writeHead wrapper - script-src keeps 'unsafe-inline' by default (~30 inline on*= handlers); CCXRAY_CSP=strict env opts into strict mode for future handler refactor - Replace <!--__PROXY_CONFIG__--> inline script injection with <script type="application/json"> + JSON.parse (no executable JS) - escapeHtml now escapes " → " and ' → &lis186#39; (attribute injection fix) Closes lis186#7 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This was referenced Jun 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Dashboard security hardening. Part 3 of 3 PRs from the audit in #7.
Depends on #9 and #10.
X-Content-Type-Options: nosniff,Referrer-Policy: no-referreron all responses<!--__PROXY_CONFIG__-->inline<script>with<script type="application/json">+JSON.parse. No more executable JS injected into HTML."→"and'→'(prevents XSS via attribute injection, e.g. model names containing quotes)CCXRAY_CSP=strict— opt-in env to drop'unsafe-inline'fromscript-src. Currently the dashboard has ~30 inlineon*=handlers that need refactoring first (tracked as future work).CSP policy
style-src 'unsafe-inline'kept because the dashboard has extensive dynamicstyle="width:..."— converting to CSS classes is cosmetic, not a security concern.Test plan
test/csp-headers.test.js(4 cases): CSP header present, nosniff, no-referrer, JSON config block without inline assignmentRef: #7
🤖 Generated with Claude Code