Merge pull request #110 from deeploy-sh/hotfix/security-issues

axadrn · web-flow · commit 4abc6aeb2971 · 2026-02-09T15:50:24.000+04:00
Hotfix/security issues
diff --git a/internal/server/auth/cli_session.go b/internal/server/auth/cli_session.go
@@ -40,7 +40,7 @@ func SetSessionToken(sessionID, token string) {
 	sessionsMu.Lock()
 	defer sessionsMu.Unlock()
 
-	log.Printf("[CLI Auth] SetSessionToken: session=%s token=%s...", sessionID, token[:min(10, len(token))])
+	log.Printf("[CLI Auth] SetSessionToken: session=%s", sessionID)
 
 	session, exists := sessions[sessionID]
 	if !exists {
diff --git a/internal/server/config/config.go b/internal/server/config/config.go
@@ -31,6 +31,7 @@ func Load() *Config {
 	// Always require secrets (generated by install script)
 	jwtSecret := requireEnv("JWT_SECRET", "min 32 characters")
 	encryptionKey := requireEnv("ENCRYPTION_KEY", "exactly 32 characters")
+	cookieSecure := getEnvBool("COOKIE_SECURE", appEnv == "production")
 
 	return &Config{
 		AppEnv:           appEnv,
@@ -39,7 +40,7 @@ func Load() *Config {
 		DBConnection:     dbConnection,
 		JWTSecret:        jwtSecret,
 		EncryptionKey:    encryptionKey,
-		CookieSecure:     false, // HTTP allowed, Traefik enforces HTTPS when domain configured
+		CookieSecure:     cookieSecure,
 		BuildDir:         getEnv("BUILD_DIR", "/tmp/deeploy-builds"),
 		TraefikConfigDir: getEnv("TRAEFIK_CONFIG_DIR", "/traefik/dynamic"),
 	}
@@ -61,6 +62,20 @@ func getEnv(key, fallback string) string {
 	return value
 }
 
+func getEnvBool(key string, fallback bool) bool {
+	value, exists := os.LookupEnv(key)
+	if !exists || value == "" {
+		return fallback
+	}
+	if value == "1" || value == "true" || value == "TRUE" || value == "True" {
+		return true
+	}
+	if value == "0" || value == "false" || value == "FALSE" || value == "False" {
+		return false
+	}
+	return fallback
+}
+
 func requireEnv(key, hint string) string {
 	value := os.Getenv(key)
 	if value == "" {
diff --git a/internal/server/cookie/cookie.go b/internal/server/cookie/cookie.go
@@ -4,13 +4,13 @@ import (
 	"net/http"
 )
 
-func SetCookie(w http.ResponseWriter, token string) {
+func SetCookie(w http.ResponseWriter, token string, secure bool) {
 	http.SetCookie(w, &http.Cookie{
 		Name:     "token",
 		Value:    token,
 		Path:     "/",
 		HttpOnly: true,
-		Secure:   false, // HTTP allowed, Traefik enforces HTTPS when domain configured
+		Secure:   secure,
 		SameSite: http.SameSiteStrictMode,
 		MaxAge:   3600 * 24,
 	})
diff --git a/internal/server/docker/docker.go b/internal/server/docker/docker.go
@@ -27,6 +27,14 @@ import (
 
 // ansiRegex matches ANSI escape codes (colors, formatting)
 var ansiRegex = regexp.MustCompile(`\x1b\[[0-9;]*m`)
+var gitURLCredentialsRegex = regexp.MustCompile(`(https?://)[^@\s/]+@`)
+
+var tokenPatterns = []*regexp.Regexp{
+	regexp.MustCompile(`ghp_[A-Za-z0-9_]+`),
+	regexp.MustCompile(`github_pat_[A-Za-z0-9_]+`),
+	regexp.MustCompile(`glpat-[A-Za-z0-9_-]+`),
+	regexp.MustCompile(`ATBB[A-Za-z0-9_-]+`),
+}
 
 // NetworkName is the shared network where Traefik lives.
 // New containers join this network so Traefik can route traffic to them.
@@ -85,12 +93,27 @@ func (d *DockerService) CloneRepo(repoURL, branch, token string) (string, error)
 	output, err := cmd.CombinedOutput()
 	if err != nil {
 		os.RemoveAll(cloneDir) // Cleanup failed clone attempt
-		return "", fmt.Errorf("git clone failed: %s - %w", string(output), err)
+		safeOutput := sanitizeGitOutput(string(output), token)
+		if strings.TrimSpace(safeOutput) == "" {
+			return "", fmt.Errorf("git clone failed: %w", err)
+		}
+		return "", fmt.Errorf("git clone failed: %s - %w", safeOutput, err)
 	}
 
 	return cloneDir, nil
 }
 
+func sanitizeGitOutput(output, token string) string {
+	sanitized := gitURLCredentialsRegex.ReplaceAllString(output, "${1}***@")
+	if token != "" {
+		sanitized = strings.ReplaceAll(sanitized, token, "***")
+	}
+	for _, pattern := range tokenPatterns {
+		sanitized = pattern.ReplaceAllString(sanitized, "***")
+	}
+	return sanitized
+}
+
 // BuildImage builds a Docker image from a directory with a Dockerfile.
 // logCallback is called for each line of build output (can be nil).
 func (d *DockerService) BuildImage(ctx context.Context, buildPath, dockerfilePath, imageName string, logCallback func(string)) (string, error) {
diff --git a/internal/server/handler/user.go b/internal/server/handler/user.go
@@ -14,11 +14,15 @@ import (
 )
 
 type UserHandler struct {
-	service service.UserServiceInterface
+	service      service.UserServiceInterface
+	cookieSecure bool
 }
 
-func NewUserHandler(service *service.UserService) *UserHandler {
-	return &UserHandler{service: service}
+func NewUserHandler(service *service.UserService, cookieSecure bool) *UserHandler {
+	return &UserHandler{
+		service:      service,
+		cookieSecure: cookieSecure,
+	}
 }
 
 func (h *UserHandler) LandingView(w http.ResponseWriter, r *http.Request) {
@@ -71,7 +75,7 @@ func (h *UserHandler) Login(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	cookie.SetCookie(w, token)
+	cookie.SetCookie(w, token, h.cookieSecure)
 	http.Redirect(w, r, "/dashboard", http.StatusSeeOther)
 }
 
@@ -117,7 +121,7 @@ func (h *UserHandler) Register(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	cookie.SetCookie(w, token)
+	cookie.SetCookie(w, token, h.cookieSecure)
 	http.Redirect(w, r, "/dashboard", http.StatusSeeOther)
 }
 
diff --git a/internal/server/routes/routes.go b/internal/server/routes/routes.go
@@ -17,7 +17,7 @@ func Setup(app *app.App) http.Handler {
 
 	// Handlers
 	auth := mw.NewAuthMiddleware(app.UserService)
-	userHandler := handlers.NewUserHandler(app.UserService)
+	userHandler := handlers.NewUserHandler(app.UserService, app.Cfg.CookieSecure)
 	projectHandler := handlers.NewProjectHandler(app.ProjectService, app.PodService)
 	podHandler := handlers.NewPodHandler(app.PodService)
 	gitTokenHandler := handlers.NewGitTokenHandler(app.GitTokenService)

Original file line number	Diff line number	Diff line change
`@@ -14,11 +14,15 @@ import (`
`14`	`14`	`)`
`15`	`15`
`16`	`16`	`type UserHandler struct {`
`17`		`- service service.UserServiceInterface`
	`17`	`+ service service.UserServiceInterface`
	`18`	`+ cookieSecure bool`
`18`	`19`	`}`
`19`	`20`
`20`		`-func NewUserHandler(service service.UserService) UserHandler {`
`21`		`- return &UserHandler{service: service}`
	`21`	`+func NewUserHandler(service service.UserService, cookieSecure bool) UserHandler {`
	`22`	`+ return &UserHandler{`
	`23`	`+ service: service,`
	`24`	`+ cookieSecure: cookieSecure,`
	`25`	`+ }`
`22`	`26`	`}`
`23`	`27`
`24`	`28`	`func (h UserHandler) LandingView(w http.ResponseWriter, r http.Request) {`
`@@ -71,7 +75,7 @@ func (h UserHandler) Login(w http.ResponseWriter, r http.Request) {`
`71`	`75`	`return`
`72`	`76`	`}`
`73`	`77`
`74`		`- cookie.SetCookie(w, token)`
	`78`	`+ cookie.SetCookie(w, token, h.cookieSecure)`
`75`	`79`	`http.Redirect(w, r, "/dashboard", http.StatusSeeOther)`
`76`	`80`	`}`
`77`	`81`
`@@ -117,7 +121,7 @@ func (h UserHandler) Register(w http.ResponseWriter, r http.Request) {`
`117`	`121`	`return`
`118`	`122`	`}`
`119`	`123`
`120`		`- cookie.SetCookie(w, token)`
	`124`	`+ cookie.SetCookie(w, token, h.cookieSecure)`
`121`	`125`	`http.Redirect(w, r, "/dashboard", http.StatusSeeOther)`
`122`	`126`	`}`
`123`	`127`