fix(security): UPnP opt-in, bounded SSE reader, signed self-update
Phase 2 security audit follow-up. Three independent hardenings against the unauthenticated daemon surface, the long-lived agent SSE stream and the self-update channel. UPnP is now opt-in. The stream port + /hls endpoints have no auth, so publishing them on the WAN via the gateway was a default that exposed active downloads to anyone scanning the operator's external IP. New config downloads.enable_upnp (default false) gates the mapping; LAN and Tailscale clients continue to work unchanged. A startup log makes the new default visible. The agent SSE reader now uses a bounded bufio.Scanner instead of an unbounded ReadString. A hostile or buggy server can no longer grow daemon memory by streaming a single line forever or by emitting unbounded data: continuation lines — both are capped at 256 KiB and 1 MiB respectively, and an error is surfaced so SignalLoop reconnects. Self-update now verifies an ed25519 signature over checksums.txt when the binary was built with a release public key embedded (injected via goreleaser ldflags from RELEASE_SIGNING_PUBKEY). The companion scripts/sign-checksums runs in the release workflow when both the public-key variable and the private-key secret are present, uploading checksums.txt.sig next to the existing checksums file. Builds without the embedded key continue to update with SHA256-only verification; a --allow-unsigned flag is provided so users on a signed build can still install pre-signing releases or recover from an accidental unsigned release. A new scripts/gen-release-key helper documents the one-time keypair generation procedure required before flipping signing on.
This commit is contained in:
Deivid Soto
parent
c148cb8ce7
commit
433e375def
17 changed files with 551 additions and 32 deletions
|
|
@ -240,6 +240,7 @@ func runDaemonStart() error {
|
|||
|
||||
// Create persistent stream server
|
||||
streamSrv := engine.NewStreamServer(cfg.Download.StreamPort)
|
||||
streamSrv.SetUPnPEnabled(cfg.Download.EnableUPnP)
|
||||
// Reap HLS tmpdirs left over from a previous daemon run before we start
|
||||
// accepting new sessions. The in-memory registry doesn't survive a
|
||||
// restart, so without this disk usage grows unbounded across restarts.
|
||||
|
|
|
|||
|
|
@ -13,6 +13,7 @@ import (
|
|||
|
||||
func newSelfUpdateCmd() *cobra.Command {
|
||||
var force bool
|
||||
var allowUnsigned bool
|
||||
|
||||
cmd := &cobra.Command{
|
||||
Use: "self-update",
|
||||
|
|
@ -26,18 +27,20 @@ If the daemon is running, it is automatically restarted so the new
|
|||
version is loaded into memory (otherwise heartbeat would keep
|
||||
reporting the old version until a manual restart).`,
|
||||
Example: ` unarr self-update
|
||||
unarr self-update --force`,
|
||||
unarr self-update --force
|
||||
unarr self-update --allow-unsigned # accept releases missing checksums.txt.sig`,
|
||||
RunE: func(cmd *cobra.Command, args []string) error {
|
||||
return runSelfUpdate(force)
|
||||
return runSelfUpdate(force, allowUnsigned)
|
||||
},
|
||||
}
|
||||
|
||||
cmd.Flags().BoolVarP(&force, "force", "f", false, "reinstall even if already up to date")
|
||||
cmd.Flags().BoolVar(&allowUnsigned, "allow-unsigned", false, "continue with SHA256-only verification when checksums.txt.sig is missing")
|
||||
|
||||
return cmd
|
||||
}
|
||||
|
||||
func runSelfUpdate(force bool) error {
|
||||
func runSelfUpdate(force, allowUnsigned bool) error {
|
||||
bold := color.New(color.Bold)
|
||||
green := color.New(color.FgGreen)
|
||||
yellow := color.New(color.FgYellow)
|
||||
|
|
@ -74,6 +77,7 @@ func runSelfUpdate(force bool) error {
|
|||
|
||||
upgrader := &upgrade.Upgrader{
|
||||
CurrentVersion: currentClean,
|
||||
AllowUnsigned: allowUnsigned,
|
||||
OnProgress: func(msg string) {
|
||||
fmt.Printf(" %s\n", msg)
|
||||
},
|
||||
|
|
|
|||
|
|
@ -7,6 +7,7 @@ import (
|
|||
// newUpgradeCmd creates the `unarr upgrade` command as an alias for `self-update`.
|
||||
func newUpgradeCmd() *cobra.Command {
|
||||
var force bool
|
||||
var allowUnsigned bool
|
||||
|
||||
cmd := &cobra.Command{
|
||||
Use: "upgrade",
|
||||
|
|
@ -18,13 +19,15 @@ This is an alias for 'unarr self-update'. Checks GitHub for the latest
|
|||
release, verifies the checksum, and replaces the current binary.
|
||||
A backup is kept at <binary>.backup.`,
|
||||
Example: ` unarr upgrade
|
||||
unarr upgrade --force`,
|
||||
unarr upgrade --force
|
||||
unarr upgrade --allow-unsigned`,
|
||||
RunE: func(cmd *cobra.Command, args []string) error {
|
||||
return runSelfUpdate(force)
|
||||
return runSelfUpdate(force, allowUnsigned)
|
||||
},
|
||||
}
|
||||
|
||||
cmd.Flags().BoolVarP(&force, "force", "f", false, "reinstall even if already up to date")
|
||||
cmd.Flags().BoolVar(&allowUnsigned, "allow-unsigned", false, "continue with SHA256-only verification when checksums.txt.sig is missing")
|
||||
|
||||
return cmd
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue