Skip to content

fix: harden input validation, authentication, and P2P broadcast verification#1704

Merged
Cabecinha84 merged 4 commits intodevelopmentfrom
security
Mar 26, 2026
Merged

fix: harden input validation, authentication, and P2P broadcast verification#1704
Cabecinha84 merged 4 commits intodevelopmentfrom
security

Conversation

@Cabecinha84
Copy link
Copy Markdown
Member

@Cabecinha84 Cabecinha84 commented Mar 24, 2026
edited
Loading

Summary

A collection of security hardening fixes across several FluxOS subsystems:

  • Validate IP against confirmed fluxnode list before availability check — Ensure the target ip:port is
    a confirmed node on the network before making any outbound HTTP requests in isFluxAvailable, preventing
    SSRF-style abuse.
  • Use Number.isFinite for syncthing random string length validation — Replace unary + operator
    with Number.isFinite() to prevent NaN bypass of the length limit check in getSvcRandomString.
  • Add authentication to syncthing events endpoints — Add verifyPrivilege('adminandfluxteam') checks
    to getEvents and getEventsDisk to prevent unauthenticated access to syncthing event data.
  • Verify sender pubkey matches target node in P2P broadcast messages — Cross-reference the sender's
    public key against the node at the target IP in verifyFluxBroadcast, ensuring node operators can only
    broadcast messages about their own IP address.

Files changed

  • ZelBack/src/services/fluxCommunicationUtils.js
  • ZelBack/src/services/fluxNetworkHelper.js
  • ZelBack/src/services/syncthingService.js

@Cabecinha84 Cabecinha84 changed the title Security fix: harden input validation, authentication, and P2P broadcast verification Mar 24, 2026
@Cabecinha84
fix: validate ip against confirmed fluxnode list before availability …
a367ec0 
…check

Ensure the target ip:port is a confirmed node on the network
before making any outbound HTTP requests in isFluxAvailable.
@Cabecinha84
fix: use Number.isFinite for syncthing random string length validation
91ef147 
Replace unary + operator with Number.isFinite() to prevent NaN bypass
of the length limit check in getSvcRandomString.
@Cabecinha84
fix: add authentication to syncthing events endpoints
9d03bd8 
Add verifyPrivilege('adminandfluxteam') checks to getEvents and
getEventsDisk to prevent unauthenticated access to syncthing event data.
@Cabecinha84
fix: verify sender pubkey matches target node in P2P broadcast messages
a71b2a3 
Cross-reference the sender's public key against the node at the target
IP in verifyFluxBroadcast, ensuring node operators can only broadcast
messages about their own IP address.
MorningLightMountain713
MorningLightMountain713 approved these changes Mar 25, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@MorningLightMountain713 MorningLightMountain713 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ack

@Cabecinha84 Cabecinha84 merged commit 4157b60 into development Mar 26, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MorningLightMountain713 MorningLightMountain713 MorningLightMountain713 approved these changes

@alihm alihm Awaiting requested review from alihm

@TheTrunk TheTrunk Awaiting requested review from TheTrunk

@XK4MiLX XK4MiLX Awaiting requested review from XK4MiLX

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Cabecinha84 @MorningLightMountain713