lobstakit-cloud 1.0.4 → 1.0.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/lib/config.js +2 -2
  2. package/package.json +1 -1
  3. package/server.js +4 -3
package/lib/config.js CHANGED
@@ -114,7 +114,7 @@ function writeConfig({ apiKey, model, channel, telegramBotToken, telegramUserId,
114
114
  }
115
115
  };
116
116
 
117
- fs.writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2), 'utf8');
117
+ fs.writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2), { encoding: 'utf8', mode: 0o600 });
118
118
  console.log('[config] Config written to', CONFIG_PATH);
119
119
  return config;
120
120
  }
@@ -126,7 +126,7 @@ function writeRawConfig(configObj) {
126
126
  if (!fs.existsSync(CONFIG_DIR)) {
127
127
  fs.mkdirSync(CONFIG_DIR, { recursive: true });
128
128
  }
129
- fs.writeFileSync(CONFIG_PATH, JSON.stringify(configObj, null, 2), 'utf8');
129
+ fs.writeFileSync(CONFIG_PATH, JSON.stringify(configObj, null, 2), { encoding: 'utf8', mode: 0o600 });
130
130
  console.log('[config] Raw config written to', CONFIG_PATH);
131
131
  }
132
132
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "lobstakit-cloud",
3
- "version": "1.0.4",
3
+ "version": "1.0.6",
4
4
  "description": "LobstaKit Cloud — Setup wizard and management for LobstaCloud gateways",
5
5
  "main": "server.js",
6
6
  "bin": {
package/server.js CHANGED
@@ -1072,10 +1072,10 @@ app.post('/api/tailscale/connect', (req, res) => {
1072
1072
  return res.status(400).json({ error: 'Auth key is required' });
1073
1073
  }
1074
1074
 
1075
- // Validate auth key format (tskey-auth-...)
1076
- if (!authKey.startsWith('tskey-auth-') && !authKey.startsWith('tskey-')) {
1075
+ // Strict validation: Tailscale auth keys are alphanumeric + hyphens only (CRITICAL-1: prevent command injection)
1076
+ if (!/^tskey-auth-[a-zA-Z0-9-]+$/.test(authKey)) {
1077
1077
  return res.status(400).json({
1078
- error: 'Invalid auth key format. Tailscale auth keys start with tskey-auth-'
1078
+ error: 'Invalid auth key format. Tailscale auth keys start with tskey-auth- and contain only alphanumeric characters and hyphens.'
1079
1079
  });
1080
1080
  }
1081
1081
 
@@ -1102,6 +1102,7 @@ app.post('/api/tailscale/connect', (req, res) => {
1102
1102
 
1103
1103
  // Run tailscale up with the auth key
1104
1104
  try {
1105
+ // SAFE: authKey validated above with /^tskey-auth-[a-zA-Z0-9-]+$/ — no injection possible
1105
1106
  execSync(`tailscale up --authkey=${authKey} --accept-routes --accept-dns`, {
1106
1107
  stdio: 'pipe',
1107
1108
  timeout: 30000