Skip to content

security: pentest fixes — auth middleware, password policy, security headers#92

Merged
Abrechen2 merged 2 commits intomasterfrom
security/pentest-fixes-0.30
Mar 16, 2026
Merged

security: pentest fixes — auth middleware, password policy, security headers#92
Abrechen2 merged 2 commits intomasterfrom
security/pentest-fixes-0.30

Conversation

@Abrechen2
Copy link
Copy Markdown
Owner

@Abrechen2 Abrechen2 commented Mar 16, 2026

Summary

Internal Kali Linux pentest (2026-03-16, VM201 → LXC 101) identified 11 findings. This PR fixes the 4 highest-priority code-level issues. Full findings documented in PENTEST_FINDINGS.md.

  • F-03 (MEDIUM-HIGH)auth.py: Add /api/v1/auth/ exemption to API-key middleware. Without this, UI login/setup/status were blocked by the API-key check when SUBLARR_API_KEY was set, making the web UI completely inaccessible.
  • F-06 (LOW)auth_ui.py: Raise minimum password length 4 → 12 characters.
  • F-07 (MEDIUM)app.py: Add X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy: same-origin via after_request hook.
  • F-04 (MEDIUM)routes/system.py: Gate version and services in /api/v1/health behind auth. Unauthenticated callers receive only {"status": "healthy"}.

Remaining open findings (follow-up)

  • F-01/F-02 (HIGH) — No rate limiting on API key auth + login endpoint → requires flask-limiter dependency
  • F-05 (MEDIUM) — Webhook middleware exemption footgun → documentation/comment
  • F-08 (LOW) — Socket.IO handshake leaks config → low priority
  • F-09 (LOW) — rpcbind on LXC 101 → infra-level fix (pct exec 101 -- systemctl disable rpcbind --now)

Test plan

  • ruff check . && ruff format --check . — clean
  • pytest tests/test_auth.py tests/test_security.py — 35/35 passed
  • Verify UI login still works when SUBLARR_API_KEY is set (F-03 regression check)
  • Verify GET /api/v1/health without auth returns only {"status": "healthy"} (no version)
  • Verify security headers present on all responses

@DennisSico
security: pentest fixes — auth middleware, password policy, security …
ec0d71a 
…headers

Findings from internal Kali pentest (2026-03-16) against v0.30.0-beta:

- F-03: Add /api/v1/auth/ exemption to API-key middleware (auth.py) so
  UI login/setup/status endpoints are reachable when SUBLARR_API_KEY is
  set. Without this, the web UI login flow was blocked by the API-key
  middleware before the UI-auth handler could run.
- F-06: Raise minimum password length from 4 → 12 characters (auth_ui.py)
- F-07: Add X-Frame-Options: DENY, X-Content-Type-Options: nosniff and
  Referrer-Policy: same-origin headers to all responses via after_request
  hook (app.py)
- F-04: Gate version and service topology in /api/v1/health behind auth.
  Unauthenticated callers (uptime monitors, scanners) now only receive
  {"status": "healthy/unhealthy"} without version string or integration
  details.

Full findings documented in PENTEST_FINDINGS.md (root of repo).
@Abrechen2 Abrechen2 mentioned this pull request Mar 16, 2026
Merged
5 tasks
@Abrechen2 Abrechen2 merged commit 5e22fbe into master Mar 16, 2026
6 checks passed
@Abrechen2 Abrechen2 deleted the security/pentest-fixes-0.30 branch March 16, 2026 19:47
@Abrechen2 Abrechen2 mentioned this pull request Mar 16, 2026
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Abrechen2 @DennisSico