fix(security): UPnP opt-in, bounded SSE reader, signed self-update
Phase 2 security audit follow-up. Three independent hardenings against the unauthenticated daemon surface, the long-lived agent SSE stream and the self-update channel. UPnP is now opt-in. The stream port + /hls endpoints have no auth, so publishing them on the WAN via the gateway was a default that exposed active downloads to anyone scanning the operator's external IP. New config downloads.enable_upnp (default false) gates the mapping; LAN and Tailscale clients continue to work unchanged. A startup log makes the new default visible. The agent SSE reader now uses a bounded bufio.Scanner instead of an unbounded ReadString. A hostile or buggy server can no longer grow daemon memory by streaming a single line forever or by emitting unbounded data: continuation lines — both are capped at 256 KiB and 1 MiB respectively, and an error is surfaced so SignalLoop reconnects. Self-update now verifies an ed25519 signature over checksums.txt when the binary was built with a release public key embedded (injected via goreleaser ldflags from RELEASE_SIGNING_PUBKEY). The companion scripts/sign-checksums runs in the release workflow when both the public-key variable and the private-key secret are present, uploading checksums.txt.sig next to the existing checksums file. Builds without the embedded key continue to update with SHA256-only verification; a --allow-unsigned flag is provided so users on a signed build can still install pre-signing releases or recover from an accidental unsigned release. A new scripts/gen-release-key helper documents the one-time keypair generation procedure required before flipping signing on.
This commit is contained in:
Deivid Soto
parent
c148cb8ce7
commit
433e375def
17 changed files with 551 additions and 32 deletions
|
|
@ -13,6 +13,7 @@ package upgrade
|
|||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"fmt"
|
||||
"log"
|
||||
"os"
|
||||
|
|
@ -43,6 +44,13 @@ type Upgrader struct {
|
|||
CurrentVersion string
|
||||
// OnProgress is called with status messages during the upgrade process.
|
||||
OnProgress func(msg string)
|
||||
// AllowUnsigned downgrades a missing checksums.txt.sig to a warning and
|
||||
// continues with SHA256-only verification. Required to downgrade to a
|
||||
// release published before signing was introduced, or to recover from
|
||||
// an accidental release where the workflow's signing step was skipped.
|
||||
// Default false — signature missing is a hard failure when a public
|
||||
// key is embedded.
|
||||
AllowUnsigned bool
|
||||
}
|
||||
|
||||
func (u *Upgrader) log(msg string) {
|
||||
|
|
@ -89,10 +97,21 @@ func (u *Upgrader) Execute(ctx context.Context, targetVersion string) Result {
|
|||
}
|
||||
defer os.Remove(archivePath)
|
||||
|
||||
// 5. Verify checksum
|
||||
u.log("Verifying checksum...")
|
||||
// 5. Verify checksum (and signature, if configured)
|
||||
if SignatureVerificationConfigured() {
|
||||
u.log("Verifying checksum + ed25519 signature...")
|
||||
} else {
|
||||
u.log("Verifying checksum (release signature verification not configured for this build)...")
|
||||
}
|
||||
if err := verifyChecksum(ctx, targetVersion, archivePath); err != nil {
|
||||
return u.fail("checksum: %v", err)
|
||||
if errors.Is(err, ErrMissingSignature) && u.AllowUnsigned {
|
||||
u.log("WARNING: release is unsigned and --allow-unsigned was passed; continuing with SHA256-only verification")
|
||||
if err := verifyChecksumOnly(ctx, targetVersion, archivePath); err != nil {
|
||||
return u.fail("checksum: %v", err)
|
||||
}
|
||||
} else {
|
||||
return u.fail("checksum: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
// 6. Extract binary
|
||||
|
|
@ -224,7 +243,12 @@ func archiveName(version string) string {
|
|||
return fmt.Sprintf("%s_%s_%s_%s.%s", binaryName, version, runtime.GOOS, runtime.GOARCH, ext)
|
||||
}
|
||||
|
||||
// githubReleaseHost is the base URL used to build release asset URLs. Exposed
|
||||
// as a var (not a const) so tests can point it at an httptest.Server without
|
||||
// touching production behaviour.
|
||||
var githubReleaseHost = "https://github.com"
|
||||
|
||||
// releaseURL returns the download URL for a release asset.
|
||||
func releaseURL(version, filename string) string {
|
||||
return fmt.Sprintf("https://github.com/%s/releases/download/v%s/%s", githubRepo, version, filename)
|
||||
return fmt.Sprintf("%s/%s/releases/download/v%s/%s", githubReleaseHost, githubRepo, version, filename)
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue