Dorian
0d28d28bf7
security(TASK-8): fix 8 pentest findings — C1/C3/H1/M1/M2/L2
CRITICAL:
- C1: /lnd-connect-info now requires session auth, CORS wildcard removed
- C3: DEV_MODE removed from production service file (dev override only)
HIGH:
- H1: node-message endpoint now verifies ed25519 signatures when
provided, logs warning for unsigned messages
MEDIUM:
- M1: content.add rejects filenames containing ".." (path traversal)
- M2: NIP-07 postMessage responses use specific origin instead of '*'
LOW:
- L2: Onion validation now enforces strict v3 format (56 base32 chars
+ ".onion", exactly 62 chars, no colons)
Previously fixed: C2 (RPC creds generated per-install from secrets)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-18 19:45:10 +00:00
..
2026-03-12 00:19:30 +00:00
2026-03-18 19:45:10 +00:00
2026-03-18 17:31:07 +00:00
2026-01-24 22:59:20 +00:00
2026-01-24 22:59:20 +00:00
2026-01-24 22:59:20 +00:00
2026-01-24 22:59:20 +00:00
2026-03-04 05:23:42 +00:00
2026-01-27 22:27:17 +00:00
2026-03-18 01:00:57 +00:00
2026-01-27 17:18:21 +00:00
2026-01-28 11:12:19 +00:00
2026-03-18 19:24:52 +00:00
2026-02-01 05:42:05 +00:00