Skip to content

fix(v2): harden the three deferred low-severity audit items#3

Merged
xxvcc merged 2 commits into
mainfrom
harden/audit-followups
Jul 8, 2026
Merged

fix(v2): harden the three deferred low-severity audit items#3
xxvcc merged 2 commits into
mainfrom
harden/audit-followups

Conversation

@xxvcc

@xxvcc xxvcc commented Jul 8, 2026

Copy link
Copy Markdown
Owner

Follow-up hardening for the three items deferred during the round-4 audit. All low-severity; each fixed with tests.

1. Upgrade redirect SSRF (selfmanage)

An upgrade HTTPS redirect is now refused if its host resolves to a private / reserved / loopback / link-local / CGNAT address — a compromised release host can no longer pivot the root-run fetch into an SSRF (e.g. 169.254.169.254 cloud metadata). The initial, operator-supplied --url is not restricted (that's the operator's choice), so a deliberate internal mirror still works; only attacker-influenced redirect targets are constrained. New isPublicIP / refusePrivateRedirect helpers + hermetic unit tests.

2. Orphaned systemd .service files (schedule)

Cancel previously kept the .service file and skipped daemon-reload whenever INVOCATION_ID was set — but that's true for any systemd scope (e.g. an SSH session), so a manual revoke left orphaned units behind. It now detects the firing auto-revoke service precisely via /proc/self/cgroup (injectable UnderUnit for tests). A genuine firing run still leaves its own .service (never deletes the file it's executing from); everything else cleans up fully.

3. SSH port hint selection (sysinfo)

With multiple Port directives in sshd_config, the config fallback now returns the first — consistent with sshPortFromSshdT (sshd -T, which returns the first) — instead of the last.

Verification

  • gofmt / go vet -printf.funcs=... clean; go build ./... OK.
  • Full suite green: unit + root/integration + -race, including with INVOCATION_ID set (mirrors CI).

Scope: v2 Go tool only. Documented under Unreleased in the CHANGELOG (no release cut yet).

🤖 Generated with Claude Code

xxvcc and others added 2 commits July 8, 2026 01:43
- selfmanage/upgrade: refuse an HTTPS redirect whose host resolves to a
  private/reserved/loopback/link-local/CGNAT address, so a hostile release
  host cannot pivot the root-run upgrade fetch into an SSRF (e.g. cloud
  metadata). The initial operator-supplied URL is not restricted, so an
  internal mirror still works. Adds isPublicIP/refusePrivateRedirect + tests.
- schedule/Cancel: detect the firing auto-revoke service precisely via
  /proc/self/cgroup (injectable UnderUnit) instead of the coarse INVOCATION_ID,
  which is set for any systemd scope; a manual revoke from a systemd-managed
  shell no longer orphans the unit's .service file. The firing run still leaves
  its own .service (never deletes the file it executes from).
- sysinfo/sshPortFromConfig: report the first Port directive (consistent with
  sshPortFromSshdT / sshd -T) instead of the last.

Full suite green (unit + root/integration + -race, incl. INVOCATION_ID set).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@xxvcc xxvcc merged commit 0e98b4a into main Jul 8, 2026
10 checks passed
@xxvcc xxvcc deleted the harden/audit-followups branch July 8, 2026 08:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant