fix: P0+P1 critical bug fixes across controller (24 files)
Concurrency fixes: - Deep-copy stacks in GetStack/GetStacks to prevent shared state mutation (C04) - Add per-state mutex to watchdog pathProbeState (C05) - Guard MetricsCollector.Start() with sync.Once against double-start (C06) - Hold diskJobMu across entire raw mount operation (C07) - Add mutex to SetEncryptionKey (C08), MigrateEncryption write lock (H03) - Use sync.Once for sync.Stop() channel close (H08) - Set syncing=true before releasing lock in TriggerSync (H09) - Deep-copy lastDBDump/lastBackup in GetFullStatus (H11) - Add WaitGroup for stderr goroutine in MigrateDrive (H19) - Add mutex to SetBackupRunningCheck (M18) Security fixes: - Validate Bearer token against Hub API key in CSRF middleware (H16) - Validate backup paths start with expected prefix in RemoveStack (M12) - Guard uuid[:8] slice with length check (H20) - Parse fstab fields exactly for mount target matching (H21) Bug fixes: - Use decrypted env vars for compose deploy (C01) - Log decrypt failures in DecryptMap instead of swallowing (C02) - Move Deployed=false inside lock in runComposeDeploy (C03) - Fix activeDrives() to skip disconnected drives (H02) - Fix Snapshot() stderr extraction from exec.ExitError (H01) - Check unlockCmd.Run() error in restic (H01) - Buffer template rendering via bytes.Buffer (H07) - Thread context.Context through cloudflare client (H10) - Fix leaf-name collision detection in cross-drive backup (H15) - Add nil check for crossDriveRunner (H17) - Use strings.TrimSpace instead of slice on command output (H18) - Make SaveAppConfig atomic with write-to-tmp+rename (H04) - Pass encKey on deploy failure SaveAppConfig (H05) - Fix IPv6 address format in TCP health probe Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -33,11 +33,15 @@ func (s *Server) CsrfProtect(next http.Handler) http.Handler {
|
||||
}
|
||||
|
||||
// Skip CSRF for Bearer-token authenticated requests.
|
||||
// These endpoints also accept session auth, but when a Bearer token
|
||||
// is present, the request is from a script/hub, not a browser.
|
||||
// Validate the token against the configured API key before skipping.
|
||||
if auth := r.Header.Get("Authorization"); strings.HasPrefix(auth, "Bearer ") {
|
||||
next.ServeHTTP(w, r)
|
||||
return
|
||||
token := strings.TrimPrefix(auth, "Bearer ")
|
||||
apiKey := s.cfg.Hub.APIKey
|
||||
if apiKey != "" && subtle.ConstantTimeCompare([]byte(token), []byte(apiKey)) == 1 {
|
||||
next.ServeHTTP(w, r)
|
||||
return
|
||||
}
|
||||
// Invalid Bearer token — fall through to CSRF validation
|
||||
}
|
||||
|
||||
// Get the session's CSRF token
|
||||
|
||||
@@ -915,7 +915,7 @@ func (s *Server) buildAppBackupRows(
|
||||
}
|
||||
|
||||
// Destination health check — can downgrade green to yellow/red
|
||||
if cfg.DestinationPath != "" {
|
||||
if cfg.DestinationPath != "" && s.crossDriveRunner != nil {
|
||||
if err := s.crossDriveRunner.ValidateDestination(cfg.DestinationPath); err != nil {
|
||||
if strings.Contains(err.Error(), "does not exist") || strings.Contains(err.Error(), "not writable") {
|
||||
row.Status = "red"
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
package web
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"fmt"
|
||||
"html/template"
|
||||
"log"
|
||||
@@ -391,11 +392,14 @@ func (s *Server) primaryHDDPath() string {
|
||||
}
|
||||
|
||||
func (s *Server) render(w http.ResponseWriter, name string, data interface{}) {
|
||||
w.Header().Set("Content-Type", "text/html; charset=utf-8")
|
||||
if err := s.tmpl.ExecuteTemplate(w, name, data); err != nil {
|
||||
var buf bytes.Buffer
|
||||
if err := s.tmpl.ExecuteTemplate(&buf, name, data); err != nil {
|
||||
s.logger.Printf("[ERROR] Template error (%s): %v", name, err)
|
||||
http.Error(w, "Internal error", http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
w.Header().Set("Content-Type", "text/html; charset=utf-8")
|
||||
buf.WriteTo(w)
|
||||
}
|
||||
|
||||
// executeTemplate renders a template with CSRF data auto-injected into the data map.
|
||||
@@ -406,11 +410,14 @@ func (s *Server) executeTemplate(w http.ResponseWriter, r *http.Request, name st
|
||||
}
|
||||
data["CSRFField"] = s.csrfField(r)
|
||||
data["CSRFToken"] = s.csrfToken(r)
|
||||
w.Header().Set("Content-Type", "text/html; charset=utf-8")
|
||||
if err := s.tmpl.ExecuteTemplate(w, name, data); err != nil {
|
||||
var buf bytes.Buffer
|
||||
if err := s.tmpl.ExecuteTemplate(&buf, name, data); err != nil {
|
||||
s.logger.Printf("[ERROR] Template error (%s): %v", name, err)
|
||||
http.Error(w, "Internal error", http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
w.Header().Set("Content-Type", "text/html; charset=utf-8")
|
||||
buf.WriteTo(w)
|
||||
}
|
||||
|
||||
// --- Static file / asset serving ---
|
||||
|
||||
@@ -915,22 +915,21 @@ func (s *Server) storageAttachMountRawHandler(w http.ResponseWriter, r *http.Req
|
||||
return
|
||||
}
|
||||
|
||||
// Clean up any previous raw mount first
|
||||
// Hold lock across entire cleanup+mount+set to prevent races
|
||||
s.diskJobMu.Lock()
|
||||
if s.activeRawMount != "" {
|
||||
_ = storage.CleanupRawMount(s.activeRawMount)
|
||||
s.activeRawMount = ""
|
||||
}
|
||||
s.diskJobMu.Unlock()
|
||||
|
||||
rawPath, err := storage.MountRaw(req.DevicePath)
|
||||
if err != nil {
|
||||
s.diskJobMu.Unlock()
|
||||
s.logger.Printf("[ERROR] storageAttachMountRaw: %v", err)
|
||||
jsonError(w, err.Error(), http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
s.diskJobMu.Lock()
|
||||
s.activeRawMount = rawPath
|
||||
s.diskJobMu.Unlock()
|
||||
|
||||
|
||||
Reference in New Issue
Block a user