Pulse

vrr/Pulse

mirror of https://github.com/rcourtman/Pulse.git synced 2026-05-09 10:57:04 +00:00

History

Pulse Monitor c563396f18 fix: address critical security vulnerabilities from audit Security Fixes: - Fix path traversal vulnerability in tar extraction (HIGH) - Validate and sanitize paths from tar archives - Prevent directory traversal attacks via ../ - Ensure extracted files stay within destination directory - Remove weak SHA-256 password hashing code (MEDIUM) - Removed unused SHA-256 hash function from crypto package - All password hashing now uses bcrypt (cost 12) exclusively - Added warning comment about proper password hashing - Fix error information leakage (MEDIUM) - Add sanitizeErrorMessage helper function - Log detailed errors internally while returning generic messages - Prevent exposure of system internals in error responses - Change default CORS from * to restrictive (MEDIUM) - Default to no CORS headers (same-origin only) - Allow localhost origins only in development mode - Require explicit configuration for production CORS These fixes address all critical and medium severity issues found in the security audit while maintaining backward compatibility.	2025-08-13 19:46:39 +00:00
..
crypto.go	fix: address critical security vulnerabilities from audit	2025-08-13 19:46:39 +00:00

Pulse Monitor c563396f18 fix: address critical security vulnerabilities from audit

Security Fixes:
- Fix path traversal vulnerability in tar extraction (HIGH)
  - Validate and sanitize paths from tar archives
  - Prevent directory traversal attacks via ../
  - Ensure extracted files stay within destination directory

- Remove weak SHA-256 password hashing code (MEDIUM)
  - Removed unused SHA-256 hash function from crypto package
  - All password hashing now uses bcrypt (cost 12) exclusively
  - Added warning comment about proper password hashing

- Fix error information leakage (MEDIUM)
  - Add sanitizeErrorMessage helper function
  - Log detailed errors internally while returning generic messages
  - Prevent exposure of system internals in error responses

- Change default CORS from * to restrictive (MEDIUM)
  - Default to no CORS headers (same-origin only)
  - Allow localhost origins only in development mode
  - Require explicit configuration for production CORS

These fixes address all critical and medium severity issues found
in the security audit while maintaining backward compatibility.

2025-08-13 19:46:39 +00:00

crypto.go

fix: address critical security vulnerabilities from audit

2025-08-13 19:46:39 +00:00