security(TASK-8): fix 8 pentest findings — C1/C3/H1/M1/M2/L2
CRITICAL: - C1: /lnd-connect-info now requires session auth, CORS wildcard removed - C3: DEV_MODE removed from production service file (dev override only) HIGH: - H1: node-message endpoint now verifies ed25519 signatures when provided, logs warning for unsigned messages MEDIUM: - M1: content.add rejects filenames containing ".." (path traversal) - M2: NIP-07 postMessage responses use specific origin instead of '*' LOW: - L2: Onion validation now enforces strict v3 format (56 base32 chars + ".onion", exactly 62 chars, no colons) Previously fixed: C2 (RPC creds generated per-install from secrets) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -7,7 +7,7 @@ Wants=network-online.target
|
||||
Type=notify
|
||||
User=archipelago
|
||||
Environment="ARCHIPELAGO_BIND=0.0.0.0:5678"
|
||||
Environment="ARCHIPELAGO_DEV_MODE=true"
|
||||
# DEV_MODE disabled in production — enabled via override.conf on dev servers
|
||||
Environment="XDG_RUNTIME_DIR=/run/user/1000"
|
||||
ExecStartPre=/bin/bash -c 'mkdir -p /var/lib/archipelago && echo "ARCHIPELAGO_HOST_IP=$(hostname -I 2>/dev/null | awk "{print $$1}")" > /var/lib/archipelago/host-ip.env'
|
||||
ExecStart=/usr/local/bin/archipelago
|
||||
|
||||
@@ -153,10 +153,12 @@ server {
|
||||
}
|
||||
|
||||
location /lnd-connect-info {
|
||||
# Requires authenticated session — exposes LND admin macaroon
|
||||
if ($cookie_session_id = "") { return 401; }
|
||||
proxy_pass http://127.0.0.1:5678/lnd-connect-info;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host $host;
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
proxy_set_header Cookie $http_cookie;
|
||||
}
|
||||
|
||||
# Content sharing — peer access over Tor (no auth)
|
||||
@@ -805,10 +807,12 @@ server {
|
||||
}
|
||||
|
||||
location /lnd-connect-info {
|
||||
# Requires authenticated session — exposes LND admin macaroon
|
||||
if ($cookie_session_id = "") { return 401; }
|
||||
proxy_pass http://127.0.0.1:5678/lnd-connect-info;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host $host;
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
proxy_set_header Cookie $http_cookie;
|
||||
}
|
||||
|
||||
# Content sharing — peer access over Tor (no auth)
|
||||
|
||||
Reference in New Issue
Block a user