Skip to content

Security fixes v2#169

Open
Alanghj wants to merge 2 commits intocloudflare:mainfrom
Alanghj:security-fixes-v2
Open

Security fixes v2#169
Alanghj wants to merge 2 commits intocloudflare:mainfrom
Alanghj:security-fixes-v2

Conversation

@Alanghj
Copy link

@Alanghj Alanghj commented Feb 5, 2026

Summary

This PR addresses 17 security vulnerabilities identified in the codebase. All fixes maintain backwards compatibility.

Changes

🔐 Authentication & Authorization

# Issue Fix
1 CDP secret exposed in URL query params Added Authorization: Bearer header support (query param kept for backwards compatibility)
12 Authentication events not logged Added structured JSON logging for auth success/failure events

💉 Injection Vulnerabilities

# Issue Fix
2 SSRF in /debug/gateway-api Added whitelist of allowed paths
3 XSS in /debug/ws-test Validate host header with regex + JSON.stringify() for safe embedding
7 Command injection in device approval sanitizeRequestId() function + audit logging
14 CDP header injection (CRLF) Sanitize headers in Fetch.fulfillRequest

📁 Path Traversal

# Issue Fix
4 Arbitrary file access in CDP setFileInputFiles Validate paths against /root/clawd base directory
8 Path traversal in /_admin/assets Normalize path + check for .. in raw and decoded paths

🔓 Information Disclosure

# Issue Fix
6 Environment variable names logged Log only count, not names
11 Startup script logs secrets redactSecrets() function before logging
16 /debug/container-config exposes secrets redactSensitive() function for config output
17 CDP scripts pass secret in URL Use Authorization header in WebSocket options

🛡️ Rate Limiting & DoS Prevention

# Issue Fix
5 No rate limiting New middleware: 30 req/min (admin), 100 req/min (CDP)

🔒 Data Integrity & Race Conditions

# Issue Fix
10 TOCTOU in gateway/sync/mount In-memory locks (withGatewayLock, withSyncLock, withMountLock)
15 Sync without integrity verification SHA-256 checksum generation for synced config

🔧 Other

# Issue Fix
9 curl -k disables TLS verification Removed -k flag from Dockerfile
13 Cache poisoning risk Added Cache-Control: private, no-store + Vary headers

Files Changed

src/routes/cdp.ts              # Fixes #1, #4, #14 + rate limiting
src/routes/debug.ts            # Fixes #2, #3, #16
src/routes/api.ts              # Fix #7 (audit + command injection)
src/routes/public.ts           # Fix #8
src/auth/middleware.ts         # Fix #12
src/gateway/process.ts         # Fixes #6, #10
src/gateway/sync.ts            # Fixes #10, #15
src/gateway/r2.ts              # Fix #10
src/index.ts                   # Fix #13
src/middleware/ratelimit.ts    # Fix #5 (new file)
src/middleware/index.ts        # Fix #5 (new file)
Dockerfile                     # Fix #9
start-moltbot.sh               # Fix #11
skills/cloudflare-browser/scripts/cdp-client.js   # Fix #17
skills/cloudflare-browser/scripts/screenshot.js   # Fix #17
skills/cloudflare-browser/scripts/video.js        # Fix #17

@Alanghj
fix(security): apply 17 security vulnerability fixes
9f61a04 
This commit addresses multiple security vulnerabilities:

- CDP auth via Authorization header (cloudflare#1)
- SSRF whitelist in /debug/gateway-api (cloudflare#2)
- XSS fix in /debug/ws-test (cloudflare#3)
- Path traversal fixes (cloudflare#4, cloudflare#8)
- Rate limiting middleware (cloudflare#5)
- Env var names not logged (cloudflare#6)
- Command injection fix + audit logging (cloudflare#7)
- Dockerfile curl -k removed (cloudflare#9)
- Race condition locks (cloudflare#10)
- Secrets redaction in logs (cloudflare#11, cloudflare#16)
- Auth event logging (cloudflare#12)
- Cache poisoning prevention (cloudflare#13)
- CDP header injection fix (cloudflare#14)
- Sync integrity verification (cloudflare#15)
- CDP scripts use auth header (cloudflare#17)

All fixes maintain backwards compatibility.
@Alanghj
fix(security): apply 17 security vulnerability fixes
d9939d0 
- CDP auth via Authorization header (cloudflare#1)
- SSRF whitelist in /debug/gateway-api (cloudflare#2)
- XSS fix in /debug/ws-test (cloudflare#3)
- Path traversal fixes (cloudflare#4, cloudflare#8)
- Rate limiting middleware (cloudflare#5)
- Env var names not logged (cloudflare#6)
- Command injection fix + audit logging (cloudflare#7)
- Dockerfile curl -k removed (cloudflare#9)
- Race condition locks (cloudflare#10)
- Secrets redaction in logs (cloudflare#11, cloudflare#16)
- Auth event logging (cloudflare#12)
- Cache poisoning prevention (cloudflare#13)
- CDP header injection fix (cloudflare#14)
- Sync integrity verification (cloudflare#15)
- CDP scripts use auth header (cloudflare#17)

All fixes maintain backwards compatibility.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Alanghj