Skip to content

sec: misc fable hardening#3244

Open
Salazareo wants to merge 3 commits into
mainfrom
DS/main
Open

sec: misc fable hardening#3244
Salazareo wants to merge 3 commits into
mainfrom
DS/main

Conversation

@Salazareo

@Salazareo Salazareo commented Jun 10, 2026

Copy link
Copy Markdown
Member

No description provided.

@Salazareo Salazareo requested a review from Copilot June 10, 2026 04:48
@github-actions

github-actions Bot commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Coverage Report

Status Category Percentage Covered / Total
🔵 Lines 73.13%
⬆️ +0.32%		 14572 / 19925
🔵 Statements 71.62%
⬆️ +0.33%		 15400 / 21502
🔵 Functions 71.39%
⬆️ +0.38%		 2391 / 3349
🔵 Branches 61.34%
⬆️ +0.18%		 9925 / 16178
File Coverage
File Stmts Branches Functions Lines Uncovered Lines
Changed Files
src/backend/server.ts 50.78%
⬆️ +0.39%		 37.31%
⬆️ +0.47%		 43.58%
🟰 ±0%		 51.79%
⬆️ +0.41%		 89-90, 104-109, 124-130, 175-188, 215-223, 251-252, 255-264, 267-271, 279, 282, 285, 291, 315, 322-328, 331-382, 407-435, 452-480, 494-496, 515-519, 546, 562-564, 574-579, 582-588, 591-597, 600-606, 625-627, 638, 642-644, 659, 665-701, 714-734, 741-742, 773-810
src/backend/controllers/auth/AuthController.ts 89.22%
⬆️ +0.04%		 74.81%
🟰 ±0%		 71.15%
🟰 ±0%		 90.2%
⬆️ +0.04%		 6, 24-26, 32, 33, 34, 38-39, 44, 45, 47, 376-377, 438-440, 457-459, 570, 630, 670, 681, 695-703, 736-737, 740-745, 779, 883, 1018, 1063, 1123, 1136-1139, 1179-1181, 1243-1245, 1257-1259, 1264-1266, 1285, 1304, 1315, 1405-1412, 1438-1452, 1461-1467, 1485, 1516-1518, 1530-1536, 1562, 1569-1576, 1582, 1589-1602, 1621-1636, 1665-1667, 1707, 1730-1732, 1764, 1805-1807, 1873, 1903, 1998-2001, 2078-2083, 2086-2088, 2115, 2134, 2152, 2170, 2183, 2195, 2212, 2222, 2233, 2245, 2254, 2258, 2276, 2306-2310, 2319-2321, 2335, 2338-2342, 2418
src/backend/controllers/drivers/DriverController.ts 67.11%
🟰 ±0%		 37.5%
🟰 ±0%		 54.05%
🟰 ±0%		 73.48%
🟰 ±0%		 6, 13, 16, 24-26, 32-34, 38-39, 43, 44, 45, 46, 47, 66-77, 80-112, 135, 228-240, 270, 319-332, 348-353, 392-394, 399, 401-404
src/backend/controllers/fs/FSController.ts 60.84%
⬆️ +0.04%		 50.5%
🟰 ±0%		 59.87%
🟰 ±0%		 60.7%
⬆️ +0.05%		 6, 24-26, 32, 33, 34, 38-39, 44, 45, 47, 67-84, 108-134, 180, 192-205, 236-585, 710, 886, 887, 888, 904-906, 938, 942, 974-976, 981-982, 989, 993, 1001, 1046-1048, 1052-1054, 1063-1065, 1071, 1089-1090, 1097-1098, 1109, 1133, 1141, 1149, 1153, 1157, 1161, 1170-1173, 1179-1199, 1206, 1217, 1222-1224, 1229-1231, 1238, 1241, 1248-1250, 1269, 1276-1279, 1284-1286, 1290-1292, 1296-1298, 1302-1304, 1346-1348, 1419-1420, 1432, 1436-1438, 1441-1444, 1450-1459, 1461-1467, 1477, 1479-1499, 1510-1540, 1556-1560, 1563-1575, 1581-1584, 1588-1609, 1615-1622, 1639, 1643-1710, 1713-1737
src/backend/controllers/fs/LegacyFSController.ts 61.19%
⬇️ -0.14%		 44.88%
⬇️ -0.16%		 46.59%
🟰 ±0%		 62.37%
⬇️ -0.16%		 74-84, 162-164, 168-211, 223-238, 250-256, 310, 421-425, 672-674, 707-708, 770-772, 774-776, 780-782, 884, 921, 943-947, 977-979, 1042-1051, 1056-1062, 1070, 1104-1122, 1129-1300, 1330-1332, 1350-1352, 1357-1359, 1362-1380, 1384, 1449-1459, 1502-1504, 1629, 1679-1761, 1810-1896, 1901-1903, 1943-1945, 2065-2181, 2188-2189, 2193, 2211-2327, 2347-2349, 2353-2355, 2361, 2362, 2364, 2373-2376, 2384-2404
src/backend/controllers/peer/PeerController.ts 61.42%
⬆️ +2.96%		 68.18%
⬆️ +0.74%		 80%
⬆️ +2.23%		 60.31%
⬆️ +3.42%		 48-49, 60-68, 79-81, 144-175, 185, 214-236
src/backend/core/http/types.ts 100%
🟰 ±0%		 100%
🟰 ±0%		 100%
🟰 ±0%		 100%
🟰 ±0%
src/backend/drivers/apps/AppDriver.js 62.61%
⬆️ +1.35%		 54.7%
⬆️ +0.90%		 78%
⬆️ +0.45%		 66.16%
⬆️ +1.24%		 71-80, 156, 172-174, 271, 277-283, 342-359, 431, 614, 660-662, 669, 671-672, 696, 704, 706, 714, 728-729, 772, 780, 793, 798, 850, 883-902, 927, 932, 953, 959, 971-975, 996-1009, 1017, 1022, 1025, 1038-1062, 1070-1094, 1103-1109, 1114, 1118-1141, 1157-1170, 1174, 1178, 1186-1214, 1241-1313, 1320-1353
src/backend/services/auth/AuthService.ts 83.85%
⬇️ -0.01%		 75.77%
⬇️ -0.34%		 89.74%
⬆️ +0.13%		 86.73%
⬆️ +0.14%		 78, 82, 132-134, 156-160, 181, 314-316, 368-370, 416, 418, 462, 605-608, 621, 682-684, 719-721, 731-733, 739-741, 755-757, 772, 790-792, 798-800, 813-815, 852-855, 914-927, 936, 938, 954, 963-968, 986, 998, 1028-1029, 1032-1034, 1037-1042, 1048-1049, 1060, 1072, 1074, 1080, 1169, 1243-1245, 1404-1406, 1677-1679, 1756-1759, 1785, 1805-1809, 1812, 1815-1817, 1838, 1841, 1860-1864, 1872-1874
src/backend/services/auth/TokenService.ts 97.29%
⬆️ +1.07%		 87.17%
⬆️ +1.46%		 100%
🟰 ±0%		 97.08%
⬆️ +0.15%		 91, 304-306, 339-342
src/backend/services/fs/FSService.ts 48.99%
⬆️ +0.32%		 40.67%
⬇️ -0.28%		 54.3%
⬆️ +0.61%		 49.05%
⬆️ +0.22%		 76-78, 155-168, 192, 200, 203, 234, 241, 244, 305-307, 310-314, 320, 323, 331-333, 343-345, 357-359, 364-366, 399-419, 448, 464-469, 481-503, 508-512, 515-519, 565, 568, 578, 583-589, 605, 610-612, 622, 632, 644-673, 678-680, 724-728, 751-753, 757, 764, 791-797, 802-819, 824-829, 834-840, 857-1018, 1035, 1130-1553, 1589-1593, 1619-1621, 1658-1660, 1703-1706, 1741-1743, 1784-1786, 1807-1814, 1833-1835, 1841-1843, 1890-1892, 1898-1900, 1913-1916, 1923-1925, 1941-2197, 2214-2218, 2236-2238, 2246-2250, 2253-2254, 2271-2277, 2285-2317, 2326-2332, 2337-2353, 2412-2414, 2437-2439, 2448-2484, 2505, 2545-2547, 2551-2556, 2587-2666, 2675-2677, 2753-2755, 2759-2763, 2779-2814, 2830, 2863-2867, 2882-2884, 2887-2889, 2932-2945, 2965-2982, 2989-2991, 3017-3021, 3039-3041, 3043-3045, 3046, 3055-3057, 3101-3108, 3144-3148, 3157-3159, 3166-3168, 3231-3258, 3275-3286, 3290-3292, 3346, 3374-3378, 3381-3383, 3389-3391, 3402-3414, 3427, 3429, 3482-3484, 3491-3495, 3506-3518, 3528-3534, 3557, 3565-3591, 3607-3718, 3730-3732, 3774-3776
src/backend/services/permission/PermissionService.ts 75.11%
⬆️ +0.48%		 66.54%
⬆️ +0.92%		 64.06%
⬇️ -0.34%		 76.84%
⬆️ +0.26%		 50-67, 127, 129-130, 158, 219-220, 319-326, 346, 359-365, 370, 403, 409-423, 435-444, 449, 453-462, 468-485, 489-507, 521, 535-543, 548, 556-557, 560, 579, 589, 594-595, 598, 634-636, 669-671, 699-701, 732-734, 736-738, 770-772, 801-803, 825-846, 850-852, 858-870, 878-895, 904-916, 936-969, 973-977, 1002-1004
src/backend/services/permission/consts.ts 100%
🟰 ±0%		 100%
🟰 ±0%		 100%
🟰 ±0%		 100%
🟰 ±0%
src/backend/services/selfhosted/DefaultUserService.ts 76.31%
🟰 ±0%		 37.5%
🟰 ±0%		 100%
🟰 ±0%		 82.35%
🟰 ±0%		 64-67, 70, 75, 99-102, 112-115
src/backend/stores/fs/S3ObjectStore.ts 27.43%
⬆️ +1.35%		 30.84%
⬆️ +0.37%		 43.75%
⬆️ +1.82%		 28.12%
⬆️ +1.37%		 42-58, 88-143, 151-175, 179, 185-234, 259-263, 292-319, 332, 353-490
src/backend/stores/group/GroupStore.ts 45.83%
⬇️ -1.99%		 35.71%
🟰 ±0%		 50%
⬇️ -4.16%		 51.72%
⬇️ -1.85%		 74-78, 95-158, 186-192, 205, 218, 233, 238, 239, 243, 247, 251
src/backend/stores/permission/PermissionStore.ts 75.78%
⬆️ +0.64%		 67.18%
⬆️ +3.18%		 67.64%
⬆️ +0.46%		 81.25%
⬇️ -0.04%		 111, 163, 246-249, 340-348, 379-389, 426, 436-494, 520-556, 599, 620-626, 652, 670, 700, 710, 715, 726, 843, 845, 850
src/backend/util/fileSigning.ts 95.34%
⬆️ +20.34%		 77.77%
⬆️ +12.56%		 100%
⬆️ +16.67%		 97.5%
⬆️ +23.22%		 82, 149-151
src/backend/util/inlineContentSecurity.ts 100% 100% 100% 100%
src/backend/util/secureHttp.ts 81.35%
⬆️ +33.99%		 69.38%
⬆️ +26.53%		 100%
⬆️ +50.00%		 82.14%
⬆️ +32.14%		 62, 75, 80-81, 95-98, 112, 132-139
Generated in workflow #359 for commit f1add52 by the Vitest Coverage Report Action

Copilot AI reviewed Jun 10, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Security-hardening PR that tightens trust boundaries between GUI iframes/apps and backend services, and reduces common attack surfaces (SSRF, stored XSS, token/secret misuse, and session persistence).

Changes:

  • Hardened backend security controls: SSRF-resistant fetch, CSP sandboxing for active-document file types, constant-time secret compares, stricter JWT verification, and placeholder-secret boot refusal.
  • Strengthened auth/session behavior: password-reset now revokes interactive sessions; login/signup endpoints get stacked rate limits (fingerprint + IP).
  • Reduced GUI/app attack surface: IPC now verifies the sending iframe owns the claimed appInstanceID; apps can’t set index_url to Puter system hosts.

Reviewed changes

Copilot reviewed 21 out of 21 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
src/gui/src/IPC.js Verifies postMessage sender matches the iframe owning appInstanceID.
src/backend/util/secureHttp.ts Moves SSRF DNS checks to connect-time via undici dispatcher lookup guard.
src/backend/util/secureHttp.test.ts Adds regression tests for connect-time SSRF DNS blocking and proxy bypass.
src/backend/util/inlineContentSecurity.ts New helper to sandbox active-document responses served inline.
src/backend/util/inlineContentSecurity.test.ts Tests CSP/nosniff behavior for active vs inert content-types.
src/backend/util/fileSigning.ts Uses constant-time comparison for URL signature verification.
src/backend/util/fileSigning.test.ts Adds round-trip + rejection-path tests for URL signatures.
src/backend/services/selfhosted/DefaultUserService.ts Increases bootstrap admin temp password entropy.
src/backend/services/auth/TokenService.ts Refuses placeholder secrets outside dev; pins JWT algorithms to HS256.
src/backend/services/auth/TokenService.test.ts Tests placeholder-secret boot refusal + algorithm pinning behavior.
src/backend/services/auth/AuthService.ts Adds password-reset session revocation helper for interactive sessions.
src/backend/server.ts Adds referrer policy; supports stacked per-route rate limits.
src/backend/package.json Adds undici dependency for dispatcher-based SSRF protections.
src/backend/drivers/apps/AppDriver.test.ts Tests rejection of index_url on system/builtin hosts.
src/backend/drivers/apps/AppDriver.js Blocks apps from using system/builtin hosts in index_url (sandbox escape prevention).
src/backend/core/http/types.ts Extends rateLimit option to accept an array of independent limits.
src/backend/core/http/middleware/rateLimit.test.js Tests stacked rate-limit gate semantics.
src/backend/controllers/peer/PeerController.ts Uses constant-time internal-auth comparison (hashed then timingSafeEqual).
src/backend/controllers/fs/LegacyFSController.ts Sandboxes active-document types for inline file serving (legacy endpoint).
src/backend/controllers/fs/FSController.ts Sandboxes active-document types for inline file serving (/fs/read).
src/backend/controllers/auth/AuthController.ts Stacks rate limits on credential endpoints; revokes sessions on password reset/change.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/backend/util/secureHttp.ts
Comment thread src/backend/util/secureHttp.ts Outdated
Comment thread src/backend/util/secureHttp.ts Outdated
Comment thread src/backend/controllers/peer/PeerController.ts Outdated
Comment thread src/backend/services/auth/TokenService.ts
@Salazareo Salazareo force-pushed the DS/main branch 3 times, most recently from 28faa3b to 3c40782 Compare June 10, 2026 05:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@ProgrammerIn-wonderland ProgrammerIn-wonderland Awaiting requested review from ProgrammerIn-wonderland

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Salazareo