Security Fixes:
- Fix path traversal vulnerability in tar extraction (HIGH)
- Validate and sanitize paths from tar archives
- Prevent directory traversal attacks via ../
- Ensure extracted files stay within destination directory
- Remove weak SHA-256 password hashing code (MEDIUM)
- Removed unused SHA-256 hash function from crypto package
- All password hashing now uses bcrypt (cost 12) exclusively
- Added warning comment about proper password hashing
- Fix error information leakage (MEDIUM)
- Add sanitizeErrorMessage helper function
- Log detailed errors internally while returning generic messages
- Prevent exposure of system internals in error responses
- Change default CORS from * to restrictive (MEDIUM)
- Default to no CORS headers (same-origin only)
- Allow localhost origins only in development mode
- Require explicit configuration for production CORS
These fixes address all critical and medium severity issues found
in the security audit while maintaining backward compatibility.
- Detect public vs private network access
- Show stronger warnings for public access without auth
- Red banner when accessed from internet without authentication
- Support for trusted networks configuration via PULSE_TRUSTED_NETWORKS
- Automatic RFC1918 private IP detection
- Enhanced security status API with network context
- Added debug logging for encryption key loading
- Use consistent utils.GetDataDir() helper instead of duplicating logic
- Handle migration failures gracefully - log warnings but continue using old key
- Add detailed logging for migration with source and destination paths
- Prevent unnecessary migration when paths are identical
- Improve error messages for debugging
Addresses review feedback on the Docker persistence fix
- Move encryption key from /etc/pulse to PULSE_DATA_DIR (/data in Docker)
- Add automatic migration for existing installations
- Key now persists across container restarts when using volume mount
- Maintains backward compatibility for non-Docker installations
Fixes#290 reported by da99Beast where Docker containers lost
configuration on restart due to encryption key being regenerated
- Fix Gmail email configuration (field mapping between frontend/backend)
- Implement proper AES-256-GCM encryption for sensitive config files
- Add responsive column hiding for Storage tab on mobile devices
- Fix email configuration persistence and auto-populate recipients
- Add comprehensive testing tools for UI and API validation
- Fix alert acknowledge/clear functionality returning 404 errors
- Improve mobile UX: Storage shows only essential columns on small screens
- Revert dashboard to consistent table view (removed card layout experiment)
- Fix various UI issues: threshold detection, email template spacing
- Update notification system to use actual node data in test emails
