vrr/Pulse
2
0
Fork 0
mirror of https://github.com/rcourtman/Pulse.git synced 2026-05-07 17:19:57 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
Pulse/internal
History
rcourtman b2e65f7b3e feat(security): Add SSH output limits and improve host key management 
Addresses two security vulnerabilities:

1. SSH Output Size Limits:
   - Prevents memory exhaustion from malicious remote nodes
   - Configurable max_ssh_output_bytes (default 1MB)
   - Stream with io.LimitReader to cap output size
   - New metric: pulse_proxy_ssh_output_oversized_total{node}
   - WARN logging for oversized outputs

2. Improved Host Key Management:
   - Seed host keys from Proxmox cluster store (/etc/pve/priv/known_hosts)
   - Falls back to ssh-keyscan only if Proxmox unavailable (with WARN)
   - Fingerprint change detection with ERROR logging
   - require_proxmox_hostkeys option for strict mode
   - New metric: pulse_proxy_hostkey_changes_total{node}
   - Reduces MITM attack surface significantly

Known hosts manager now normalizes entries, reuses existing fingerprints,
and raises typed HostKeyChangeError when fingerprints differ.

Related to security audit 2025-11-07.

Co-authored-by: Codex <codex@openai.com>
2025-11-07 17:09:02 +00:00
..
alerts Fix critical alert system concurrency and memory leak issues 2025-11-07 09:12:28 +00:00
api Fix P1: Resource leaks in Recovery Tokens, Rate Limiter, and OIDC Service 2025-11-07 10:18:44 +00:00
auth Refactor: Code cleanup and localStorage consolidation 2025-11-04 21:50:46 +00:00
config Improve Docker temperature monitoring documentation for clarity (related to #600) 2025-11-07 15:09:42 +00:00
crypto Harden setup token flow and enforce encrypted persistence 2025-10-25 16:00:37 +00:00
discovery Fix P1/P2 infrastructure issues: panic recovery and optimizations 2025-11-07 09:55:22 +00:00
dockeragent Fix critical version embedding issues for 4.26 release 2025-11-06 11:42:52 +00:00
errors Fix settings security tab navigation 2025-10-11 23:29:47 +00:00
hostagent Normalize docker agent version handling 2025-10-28 08:42:58 +00:00
hostmetrics Normalize docker agent version handling 2025-10-28 08:42:58 +00:00
logging feat: comprehensive diagnostics and observability improvements 2025-10-21 12:37:39 +00:00
metrics Add comprehensive alert system reliability improvements 2025-11-06 16:46:30 +00:00
mock Refactor: Code cleanup and localStorage consolidation 2025-11-04 21:50:46 +00:00
models Fix Docker host display bug when multiple agents share API tokens (related to #658) 2025-11-07 13:46:35 +00:00
monitoring Fix storage disappearing after upgrade by preserving TLS validation 2025-11-07 15:36:52 +00:00
notifications Fix critical monitoring system issues and add robustness improvements 2025-11-07 08:52:37 +00:00
ssh/knownhosts feat(security): Add SSH output limits and improve host key management 2025-11-07 17:09:02 +00:00
system Enhance container detection for temperature SSH safeguards (refs #601) 2025-11-04 22:30:35 +00:00
tempproxy Fix temperature data intermittency caused by proxy rate limit retries 2025-11-05 10:20:15 +00:00
types Fix settings security tab navigation 2025-10-11 23:29:47 +00:00
updates Fix critical rollback download URL bug and doc inconsistencies 2025-11-06 14:25:32 +00:00
utils Refactor: Code cleanup and localStorage consolidation 2025-11-04 21:50:46 +00:00
websocket Fix P1: Add shutdown mechanism to WebSocket Hub 2025-11-07 10:20:26 +00:00