fix(v2): harden the three deferred low-severity audit items#3
Merged
Conversation
- selfmanage/upgrade: refuse an HTTPS redirect whose host resolves to a private/reserved/loopback/link-local/CGNAT address, so a hostile release host cannot pivot the root-run upgrade fetch into an SSRF (e.g. cloud metadata). The initial operator-supplied URL is not restricted, so an internal mirror still works. Adds isPublicIP/refusePrivateRedirect + tests. - schedule/Cancel: detect the firing auto-revoke service precisely via /proc/self/cgroup (injectable UnderUnit) instead of the coarse INVOCATION_ID, which is set for any systemd scope; a manual revoke from a systemd-managed shell no longer orphans the unit's .service file. The firing run still leaves its own .service (never deletes the file it executes from). - sysinfo/sshPortFromConfig: report the first Port directive (consistent with sshPortFromSshdT / sshd -T) instead of the last. Full suite green (unit + root/integration + -race, incl. INVOCATION_ID set). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow-up hardening for the three items deferred during the round-4 audit. All low-severity; each fixed with tests.
1. Upgrade redirect SSRF (
selfmanage)An
upgradeHTTPS redirect is now refused if its host resolves to a private / reserved / loopback / link-local / CGNAT address — a compromised release host can no longer pivot the root-run fetch into an SSRF (e.g.169.254.169.254cloud metadata). The initial, operator-supplied--urlis not restricted (that's the operator's choice), so a deliberate internal mirror still works; only attacker-influenced redirect targets are constrained. NewisPublicIP/refusePrivateRedirecthelpers + hermetic unit tests.2. Orphaned systemd
.servicefiles (schedule)Cancelpreviously kept the.servicefile and skippeddaemon-reloadwheneverINVOCATION_IDwas set — but that's true for any systemd scope (e.g. an SSH session), so a manualrevokeleft orphaned units behind. It now detects the firing auto-revoke service precisely via/proc/self/cgroup(injectableUnderUnitfor tests). A genuine firing run still leaves its own.service(never deletes the file it's executing from); everything else cleans up fully.3. SSH port hint selection (
sysinfo)With multiple
Portdirectives insshd_config, the config fallback now returns the first — consistent withsshPortFromSshdT(sshd -T, which returns the first) — instead of the last.Verification
gofmt/go vet -printf.funcs=...clean;go build ./...OK.-race, including withINVOCATION_IDset (mirrors CI).Scope: v2 Go tool only. Documented under Unreleased in the CHANGELOG (no release cut yet).
🤖 Generated with Claude Code