fix(security): UPnP opt-in, bounded SSE reader, signed self-update
Phase 2 security audit follow-up. Three independent hardenings against the unauthenticated daemon surface, the long-lived agent SSE stream and the self-update channel. UPnP is now opt-in. The stream port + /hls endpoints have no auth, so publishing them on the WAN via the gateway was a default that exposed active downloads to anyone scanning the operator's external IP. New config downloads.enable_upnp (default false) gates the mapping; LAN and Tailscale clients continue to work unchanged. A startup log makes the new default visible. The agent SSE reader now uses a bounded bufio.Scanner instead of an unbounded ReadString. A hostile or buggy server can no longer grow daemon memory by streaming a single line forever or by emitting unbounded data: continuation lines — both are capped at 256 KiB and 1 MiB respectively, and an error is surfaced so SignalLoop reconnects. Self-update now verifies an ed25519 signature over checksums.txt when the binary was built with a release public key embedded (injected via goreleaser ldflags from RELEASE_SIGNING_PUBKEY). The companion scripts/sign-checksums runs in the release workflow when both the public-key variable and the private-key secret are present, uploading checksums.txt.sig next to the existing checksums file. Builds without the embedded key continue to update with SHA256-only verification; a --allow-unsigned flag is provided so users on a signed build can still install pre-signing releases or recover from an accidental unsigned release. A new scripts/gen-release-key helper documents the one-time keypair generation procedure required before flipping signing on.
This commit is contained in:
Deivid Soto
parent
c148cb8ce7
commit
433e375def
17 changed files with 551 additions and 32 deletions
|
|
@ -2,6 +2,7 @@ package upgrade
|
|||
|
||||
import (
|
||||
"bufio"
|
||||
"bytes"
|
||||
"context"
|
||||
"crypto/sha256"
|
||||
"encoding/hex"
|
||||
|
|
@ -88,7 +89,23 @@ func download(ctx context.Context, version string) (string, error) {
|
|||
}
|
||||
|
||||
// verifyChecksum downloads checksums.txt and verifies the archive's SHA256.
|
||||
// When a release public key is embedded at build time (releasePubKeyBase64),
|
||||
// the function also verifies an ed25519 signature over checksums.txt before
|
||||
// trusting any hash inside it — this turns the checksum file from a passive
|
||||
// integrity check into an authenticated artifact that a maintainer or CI key
|
||||
// compromise cannot trivially forge.
|
||||
func verifyChecksum(ctx context.Context, version, archivePath string) error {
|
||||
return verifyChecksumWithOptions(ctx, version, archivePath, true)
|
||||
}
|
||||
|
||||
// verifyChecksumOnly skips the ed25519 signature step. Used by Upgrader
|
||||
// when --allow-unsigned is set and the release is known to predate signing
|
||||
// (or when a release accidentally shipped without a .sig file).
|
||||
func verifyChecksumOnly(ctx context.Context, version, archivePath string) error {
|
||||
return verifyChecksumWithOptions(ctx, version, archivePath, false)
|
||||
}
|
||||
|
||||
func verifyChecksumWithOptions(ctx context.Context, version, archivePath string, verifySignature bool) error {
|
||||
// Download checksums.txt
|
||||
url := releaseURL(version, "checksums.txt")
|
||||
req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
|
||||
|
|
@ -107,11 +124,28 @@ func verifyChecksum(ctx context.Context, version, archivePath string) error {
|
|||
return fmt.Errorf("fetch checksums: HTTP %d", resp.StatusCode)
|
||||
}
|
||||
|
||||
// Read the entire checksums.txt content first so we can both parse and
|
||||
// verify the signature over the same bytes.
|
||||
checksumsContent, err := io.ReadAll(io.LimitReader(resp.Body, 1<<20))
|
||||
if err != nil {
|
||||
return fmt.Errorf("read checksums: %w", err)
|
||||
}
|
||||
|
||||
// Verify ed25519 signature over checksums.txt before trusting its
|
||||
// contents. Skipped silently when no key is embedded (handled by the
|
||||
// caller via SignatureVerificationConfigured) or when the caller
|
||||
// explicitly opts out via --allow-unsigned.
|
||||
if verifySignature {
|
||||
if err := verifyChecksumsSignature(ctx, version, checksumsContent); err != nil {
|
||||
return fmt.Errorf("verify signature: %w", err)
|
||||
}
|
||||
}
|
||||
|
||||
// Parse checksums.txt — format: "<sha256> <filename>"
|
||||
expectedName := archiveName(version)
|
||||
var expectedHash string
|
||||
|
||||
scanner := bufio.NewScanner(resp.Body)
|
||||
scanner := bufio.NewScanner(bytes.NewReader(checksumsContent))
|
||||
for scanner.Scan() {
|
||||
line := scanner.Text()
|
||||
parts := strings.Fields(line)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue