monoadmin/remotelink-docker
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix critical and high security issues

Browse Source 
- exec_script: relay now enforces admin role before forwarding to agent
- relay CORS: restrict allow_origins via ALLOWED_ORIGINS env var (docker-compose passes app URL)
- session-code: replace Math.random() with crypto.randomInt, add per-key rate limit (10 req/min)
- sessions GET: fix IDOR — users can only read their own sessions (admins see all)
- signal API: validate session ownership on create; enforce ownerUserId on all subsequent actions

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
monoadmin
2026-04-10 23:38:03 -07:00
parent e27d4cfa58
commit 27673daa63
5 changed files with 86 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
app/api/agent/session-code/route.ts
View File

@@ -2,16 +2,34 @@ import { db } from '@/lib/db'
import { machines, sessionCodes } from '@/lib/db/schema'
import { eq, and } from 'drizzle-orm'
import { NextRequest, NextResponse } from 'next/server'
import { randomInt } from 'crypto'
function generateSessionCode(): string {
const chars = 'ABCDEFGHJKLMNPQRSTUVWXYZ23456789'
let code = ''
for (let i = 0; i < 6; i++) {
code += chars.charAt(Math.floor(Math.random() * chars.length))
code += chars.charAt(randomInt(chars.length))
}
return code
}
// Simple in-process rate limiter: max 10 requests per minute per access key
const rateLimitMap = new Map<string, { count: number; resetAt: number }>()
const RATE_LIMIT = 10
const RATE_WINDOW_MS = 60_000
function isRateLimited(key: string): boolean {
const now = Date.now()
const entry = rateLimitMap.get(key)
if (!entry || now >= entry.resetAt) {
rateLimitMap.set(key, { count: 1, resetAt: now + RATE_WINDOW_MS })
return false
}
if (entry.count >= RATE_LIMIT) return true
entry.count++
return false
}
export async function POST(request: NextRequest) {
try {
const { accessKey } = await request.json()
@@ -20,6 +38,10 @@ export async function POST(request: NextRequest) {
return NextResponse.json({ error: 'Access key required' }, { status: 400 })
}
if (isRateLimited(accessKey)) {
return NextResponse.json({ error: 'Too many requests' }, { status: 429 })
}
const machineResult = await db
.select()
.from(machines)