archy

lfg2025/archy

Fork 0

Commit Graph

Author	SHA1	Message	Date
Dorian	89acc3ed5c	fix: harden input validation across all RPC endpoints (PENTEST-02) Manual security audit of 130+ RPC endpoints. Critical fixes: - LND: validate pubkey (66-char hex), Bitcoin addresses, channel points, amount bounds, payment request format, memo length, peer address - Package: validate_app_id on start/stop/restart/bundled-app handlers, validate volume host paths (must be under /var/lib/archipelago/), validate Docker image in bundled-app-start - Container: validate_app_id on all 6 handlers, canonicalize manifest paths - Network: path traversal prevention in connection request deletion - Backup: backup ID validation in delete handler - Webhooks: URL scheme validation, SSRF prevention for private IPs - Security: validate app_id in secret rotation - Interfaces: WiFi password length/null validation, strict IP/gateway/DNS parsing for static ethernet config Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-11 14:32:49 +00:00
Dorian	d26b95e256	feat: add network interface management RPC endpoints Add network.list-interfaces, network.scan-wifi, network.configure-wifi, and network.configure-ethernet endpoints using ip and nmcli commands. Includes input validation to prevent command injection. Deployed and verified — list-interfaces returns real interface data. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-11 00:34:17 +00:00

Author

SHA1

Message

Date

Dorian

89acc3ed5c

fix: harden input validation across all RPC endpoints (PENTEST-02)

Manual security audit of 130+ RPC endpoints. Critical fixes:
- LND: validate pubkey (66-char hex), Bitcoin addresses, channel points,
  amount bounds, payment request format, memo length, peer address
- Package: validate_app_id on start/stop/restart/bundled-app handlers,
  validate volume host paths (must be under /var/lib/archipelago/),
  validate Docker image in bundled-app-start
- Container: validate_app_id on all 6 handlers, canonicalize manifest paths
- Network: path traversal prevention in connection request deletion
- Backup: backup ID validation in delete handler
- Webhooks: URL scheme validation, SSRF prevention for private IPs
- Security: validate app_id in secret rotation
- Interfaces: WiFi password length/null validation, strict IP/gateway/DNS
  parsing for static ethernet config

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-11 14:32:49 +00:00

Dorian

d26b95e256

feat: add network interface management RPC endpoints

Add network.list-interfaces, network.scan-wifi, network.configure-wifi,
and network.configure-ethernet endpoints using ip and nmcli commands.
Includes input validation to prevent command injection. Deployed and
verified — list-interfaces returns real interface data.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-11 00:34:17 +00:00

2 Commits