fix: monthly security scan — fix shell injection and add RPC body limit (MAINT-02)

- Replace sh -c echo with tokio::fs::write for bitcoin.conf generation
- Add client_max_body_size 1m to /rpc/ in both HTTP and HTTPS nginx blocks
- Document full audit findings in docs/security-audit-2026-03-11.md

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Dorian
2026-03-11 18:09:16 +00:00
parent f32c95bb76
commit 828ba5119d
4 changed files with 60 additions and 5 deletions

View File

@@ -113,6 +113,9 @@ server {
proxy_set_header X-Real-IP $remote_addr;
# Connection header managed by nginx default
# Limit request body to 1MB for RPC calls
client_max_body_size 1m;
# Increase timeout for long-running operations (e.g., Docker image pulls)
proxy_connect_timeout 600s;
proxy_send_timeout 600s;
@@ -518,6 +521,10 @@ server {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
# Connection header managed by nginx default
# Limit request body to 1MB for RPC calls
client_max_body_size 1m;
proxy_connect_timeout 600s;
proxy_send_timeout 600s;
proxy_read_timeout 600s;