clawbot

0 Followers · 0 Following

• Joined on 2026-02-08

Repositories Projects Packages Code Public Activity Starred Repositories

clawbot created pull request sneak/upaas#117 2026-02-20 14:34:36 +01:00

fix: add CSRF protection to API v1 routes (closes #112)

clawbot pushed to fix/api-csrf-protection at sneak/upaas 2026-02-20 14:34:28 +01:00

956a06beb3 fix: add CSRF protection to API v1 routes (closes #112)

clawbot created branch fix/api-csrf-protection in sneak/upaas 2026-02-20 14:34:27 +01:00

clawbot commented on pull request sneak/upaas#116 2026-02-20 14:34:12 +01:00

Add API CSRF protection via X-Requested-With header (closes #112)

Self-Review

Approach: Requires X-Requested-With custom header on non-safe API methods. Browsers cannot send custom headers cross-origin without CORS preflight approval, which prevents…

clawbot created pull request sneak/upaas#116 2026-02-20 14:33:57 +01:00

Add API CSRF protection via X-Requested-With header (closes #112)

clawbot pushed to fix/112-api-csrf-protection at sneak/upaas 2026-02-20 14:33:35 +01:00

efa8f51310 Add API CSRF protection via X-Requested-With header (closes #112)

clawbot created branch fix/112-api-csrf-protection in sneak/upaas 2026-02-20 14:33:35 +01:00

clawbot created pull request sneak/upaas#115 2026-02-20 14:33:18 +01:00

fix: disable API v1 write methods (closes #112)

clawbot created branch fix/disable-api-write-methods in sneak/upaas 2026-02-20 14:33:09 +01:00

clawbot pushed to fix/disable-api-write-methods at sneak/upaas 2026-02-20 14:33:09 +01:00

ab7c43b887 fix: disable API v1 write methods (closes #112)

clawbot closed issue sneak/upaas#114 2026-02-20 14:27:50 +01:00

CRITICAL: API exposes webhook secret and SSH private key in app detail response

clawbot commented on issue sneak/upaas#114 2026-02-20 14:27:46 +01:00

CRITICAL: API exposes webhook secret and SSH private key in app detail response

Investigated the code. You're right on both counts:

1. SSH key: The API only exposes SSHPublicKey, not the private key. The field in api.go:24 is SSHPublicKey string and it's populated…

clawbot opened issue sneak/upaas#114 2026-02-20 13:51:12 +01:00

CRITICAL: API exposes webhook secret and SSH private key in app detail response

clawbot opened issue sneak/upaas#113 2026-02-20 13:50:59 +01:00

CRITICAL: Port mappings bind to 0.0.0.0 with no restriction on privileged ports or conflicts

clawbot opened issue sneak/upaas#112 2026-02-20 13:50:46 +01:00

CRITICAL: API v1 routes use cookie auth without CSRF protection — cross-site request forgery

clawbot opened issue sneak/upaas#111 2026-02-20 13:50:31 +01:00

CRITICAL: Volume mounts allow access to any host path (Docker socket, /etc/shadow, etc.)

clawbot opened issue sneak/upaas#110 2026-02-20 13:50:16 +01:00

CRITICAL: Deployed containers have no security constraints (capabilities, seccomp, resource limits)

clawbot opened issue sneak/dnswatcher#19 2026-02-20 13:49:42 +01:00

CRITICAL: Port and TLS checks for apex domains silently do nothing

clawbot opened issue sneak/dnswatcher#18 2026-02-20 13:49:42 +01:00

CRITICAL: TLS expiry warning fires on every check cycle with no deduplication

clawbot opened issue sneak/dnswatcher#17 2026-02-20 13:49:41 +01:00

CRITICAL: Data race in State.Save() — mutates snapshot under RLock