lfg2025/archy
1
0
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects Releases 44 Wiki Activity
archy/loop/pentest/analysis/ssrf.md
Dorian 39c7ac1924 feat: rootless podman, session hardening, boot stability, sidebar fix 
Rootless podman migration (TASK-11):
- Remove sudo from all podman calls in PodmanClient + 8 backend files
- Remove sudo from all podman/docker calls in deploy script
- Restore full systemd security hardening: NoNewPrivileges,
  RestrictAddressFamilies, MemoryDenyWriteExecute, RestrictRealtime,
  RestrictNamespaces, RestrictSUIDSGID, SystemCallFilter, ProtectSystem=strict
- Enable loginctl linger for rootless container persistence
- Remove Ollama from auto-deploy (marketplace-only)

Session & auth hardening:
- Increase MAX_CONCURRENT_SESSIONS 20→50 (prevents eviction storms)
- Debounced 401 redirect in rpc-client.ts (prevents redirect storms)

Boot stability:
- optimize-debian.sh: adds chrony, swap, removes policy-rc.d
- deploy script: pre-restart chrony + swap setup
- ISO build: chrony package, swap file creation
- BootScreen: no longer clears localStorage (prevents splash replay)
- RootRedirect: sole owner of localStorage clearing on server ready

UI fixes:
- Sidebar opacity default changed from 0→visible (fixes missing sidebar
  after page-persistence login without entrance animation)
- Console.log/error wrapped in import.meta.env.DEV guards
- Remove unused route import from RootRedirect

Beta tracking:
- CLAUDE.md: beta freeze protocol added
- MASTER_PLAN.md: TASK-11, TASK-17, phase structure
- BETA-PROGRESS.md: initial tracking doc
- Tagged v1.2.0-alpha.1 as pre-rootless baseline

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-18 13:53:27 +00:00

1.3 KiB
Raw Blame History

SSRF Analysis Complete

Found 5 SSRF vulnerabilities across the Archipelago backend:

Critical (2)

  • SSRF-001: backup.upload-s3 — user-supplied endpoint URL passed directly to reqwest PUT with zero validation. Can reach any internal service (Bitcoin RPC, LND, Grafana). Response status + partial body leaked in errors.
  • SSRF-002: backup.download-s3 — same pattern but GET, with full response body saved to disk and retrievable via backup APIs. Most dangerous finding — enables complete exfiltration of any internal HTTP endpoint.

High (1)

  • SSRF-003: identity.resolve-name (NIP-05) — user-controlled domain in user@domain identifier causes HTTPS GET to arbitrary domain. HTTPS-only limits impact but enables DNS rebinding, IP disclosure, and partial response exfiltration.

Medium (1)

  • SSRF-004: content.download-peer / content.browse-peer — weak .onion validation (suffix check only vs. strict 56-char base32 in node_message.rs). Mitigated by Tor SOCKS proxy which rejects invalid addresses, but defense-in-depth failure.

Low (1)

  • SSRF-005: webhook.configure — private IP validation exists but bypassed in dev mode, missing 0.0.0.0, no DNS rebinding protection, no redirect protection.

Report written to loop/pentest/analysis/ssrf.md.