monoadmin/remotelink-docker
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix critical and high security issues

Browse Source 
- exec_script: relay now enforces admin role before forwarding to agent
- relay CORS: restrict allow_origins via ALLOWED_ORIGINS env var (docker-compose passes app URL)
- session-code: replace Math.random() with crypto.randomInt, add per-key rate limit (10 req/min)
- sessions GET: fix IDOR — users can only read their own sessions (admins see all)
- signal API: validate session ownership on create; enforce ownerUserId on all subsequent actions

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
monoadmin
2026-04-10 23:38:03 -07:00
parent e27d4cfa58
commit 27673daa63
5 changed files with 86 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
app/api/agent/session-code/route.ts
View File

@@ -2,16 +2,34 @@ import { db } from '@/lib/db'
import { machines, sessionCodes } from '@/lib/db/schema'
import { eq, and } from 'drizzle-orm'
import { NextRequest, NextResponse } from 'next/server'
import { randomInt } from 'crypto'
function generateSessionCode(): string {
const chars = 'ABCDEFGHJKLMNPQRSTUVWXYZ23456789'
let code = ''
for (let i = 0; i < 6; i++) {
code += chars.charAt(Math.floor(Math.random() * chars.length))
code += chars.charAt(randomInt(chars.length))
}
return code
}
// Simple in-process rate limiter: max 10 requests per minute per access key
const rateLimitMap = new Map<string, { count: number; resetAt: number }>()
const RATE_LIMIT = 10
const RATE_WINDOW_MS = 60_000
function isRateLimited(key: string): boolean {
const now = Date.now()
const entry = rateLimitMap.get(key)
if (!entry || now >= entry.resetAt) {
rateLimitMap.set(key, { count: 1, resetAt: now + RATE_WINDOW_MS })
return false
}
if (entry.count >= RATE_LIMIT) return true
entry.count++
return false
}
export async function POST(request: NextRequest) {
try {
const { accessKey } = await request.json()
@@ -20,6 +38,10 @@ export async function POST(request: NextRequest) {
return NextResponse.json({ error: 'Access key required' }, { status: 400 })
}
if (isRateLimited(accessKey)) {
return NextResponse.json({ error: 'Too many requests' }, { status: 429 })
}
const machineResult = await db
.select()
.from(machines)

17
app/api/sessions/[id]/route.ts
View File

@@ -8,17 +8,22 @@ export async function GET(
_request: NextRequest,
{ params }: { params: Promise<{ id: string }> }
) {
const session = await auth()
if (!session?.user?.id) {
const authSession = await auth()
if (!authSession?.user?.id) {
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const { id } = await params
const isAdmin = (authSession.user as { role?: string }).role === 'admin'
const result = await db
.select()
.from(sessions)
.where(eq(sessions.id, id))
.where(
isAdmin
? eq(sessions.id, id)
: and(eq(sessions.id, id), eq(sessions.viewerUserId, authSession.user.id))
)
.limit(1)
if (!result[0]) {
@@ -32,8 +37,8 @@ export async function PATCH(
request: NextRequest,
{ params }: { params: Promise<{ id: string }> }
) {
const session = await auth()
if (!session?.user?.id) {
const authSession = await auth()
if (!authSession?.user?.id) {
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
@@ -47,7 +52,7 @@ export async function PATCH(
await db
.update(sessions)
.set(updates)
.where(and(eq(sessions.id, id), eq(sessions.viewerUserId, session.user.id)))
.where(and(eq(sessions.id, id), eq(sessions.viewerUserId, authSession.user.id)))
return NextResponse.json({ success: true })
}

40
app/api/signal/route.ts
View File

@@ -1,4 +1,7 @@
import { auth } from '@/auth'
import { db } from '@/lib/db'
import { sessions } from '@/lib/db/schema'
import { and, eq } from 'drizzle-orm'
import { NextRequest, NextResponse } from 'next/server'
// In-memory signaling store (use Redis for multi-instance deployments)
@@ -8,6 +11,7 @@ const signalingStore = new Map<string, {
viewerCandidates: RTCIceCandidateInit[]
hostCandidates: RTCIceCandidateInit[]
createdAt: number
ownerUserId: string
}>()
function cleanupOldSessions() {
@@ -19,48 +23,59 @@ function cleanupOldSessions() {
export async function POST(request: NextRequest) {
try {
const session = await auth()
if (!session?.user) {
const authSession = await auth()
if (!authSession?.user?.id) {
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const userId = authSession.user.id
const { action, sessionId, data } = await request.json()
cleanupOldSessions()
switch (action) {
case 'create-session':
signalingStore.set(sessionId, { viewerCandidates: [], hostCandidates: [], createdAt: Date.now() })
case 'create-session': {
// Verify the sessionId corresponds to a real session owned by this user
const dbSession = await db
.select({ id: sessions.id })
.from(sessions)
.where(and(eq(sessions.id, sessionId), eq(sessions.viewerUserId, userId)))
.limit(1)
if (!dbSession[0]) {
return NextResponse.json({ error: 'Session not found' }, { status: 404 })
}
signalingStore.set(sessionId, { viewerCandidates: [], hostCandidates: [], createdAt: Date.now(), ownerUserId: userId })
return NextResponse.json({ success: true })
}
case 'send-offer': {
const s = signalingStore.get(sessionId)
if (!s) return NextResponse.json({ error: 'Session not found' }, { status: 404 })
if (!s || s.ownerUserId !== userId) return NextResponse.json({ error: 'Session not found' }, { status: 404 })
s.offer = data.offer
return NextResponse.json({ success: true })
}
case 'get-offer': {
const s = signalingStore.get(sessionId)
if (!s) return NextResponse.json({ error: 'Session not found' }, { status: 404 })
if (!s || s.ownerUserId !== userId) return NextResponse.json({ error: 'Session not found' }, { status: 404 })
return NextResponse.json({ offer: s.offer ?? null })
}
case 'send-answer': {
const s = signalingStore.get(sessionId)
if (!s) return NextResponse.json({ error: 'Session not found' }, { status: 404 })
if (!s || s.ownerUserId !== userId) return NextResponse.json({ error: 'Session not found' }, { status: 404 })
s.answer = data.answer
return NextResponse.json({ success: true })
}
case 'get-answer': {
const s = signalingStore.get(sessionId)
if (!s) return NextResponse.json({ error: 'Session not found' }, { status: 404 })
if (!s || s.ownerUserId !== userId) return NextResponse.json({ error: 'Session not found' }, { status: 404 })
return NextResponse.json({ answer: s.answer ?? null })
}
case 'send-ice-candidate': {
const s = signalingStore.get(sessionId)
if (!s) return NextResponse.json({ error: 'Session not found' }, { status: 404 })
if (!s || s.ownerUserId !== userId) return NextResponse.json({ error: 'Session not found' }, { status: 404 })
if (data.role === 'viewer') s.viewerCandidates.push(data.candidate)
else s.hostCandidates.push(data.candidate)
return NextResponse.json({ success: true })
@@ -68,16 +83,19 @@ export async function POST(request: NextRequest) {
case 'get-ice-candidates': {
const s = signalingStore.get(sessionId)
if (!s) return NextResponse.json({ error: 'Session not found' }, { status: 404 })
if (!s || s.ownerUserId !== userId) return NextResponse.json({ error: 'Session not found' }, { status: 404 })
const candidates = data.role === 'viewer' ? s.hostCandidates : s.viewerCandidates
if (data.role === 'viewer') s.hostCandidates = []
else s.viewerCandidates = []
return NextResponse.json({ candidates })
}
case 'close-session':
case 'close-session': {
const s = signalingStore.get(sessionId)
if (s && s.ownerUserId !== userId) return NextResponse.json({ error: 'Session not found' }, { status: 404 })
signalingStore.delete(sessionId)
return NextResponse.json({ success: true })
}
default:
return NextResponse.json({ error: 'Unknown action' }, { status: 400 })