sneak/upaas
1
0
Fork 0
Code Issues 9 Pull Requests 1 Actions Packages Projects Releases 1 Wiki Activity
Pulse Contributors Code Frequency Recent Commits

2025-03-11 - 2026-03-11
Period: 1 year
1 day 3 days 1 week 1 month 3 months 6 months 1 year

Overview

52 Active Pull Requests
102 Active Issues
51
Merged Pull Requests 1
Proposed Pull Request 93
Closed Issues 102
New Issues
Excluding merges, 2 authors have pushed 45 commits to main and 151 commits to all branches. On main, 90 files have changed and there have been 17227 additions and 2849 deletions.

1 Release published by 1 user

Published 1.0.0 MVP 2026-02-26 14:02:56 +01:00

51 Pull requests merged by 2 users

Merged #164 feat: add webhook event history UI page 2026-03-10 18:53:58 +01:00

Merged #159 fix: add missing Makefile targets (docker, hooks) and test timeout 2026-03-10 01:09:15 +01:00

Merged #160 fix: pass notification settings from create form to service 2026-03-10 01:01:33 +01:00

Merged #155 chore: add REPO_POLICIES compliance files 2026-03-03 18:07:44 +01:00

Merged #154 fix: add COPY --from=lint to builder stage to force lint execution 2026-03-01 23:46:52 +01:00

Merged #149 fix: change module path to sneak.berlin/go/upaas (closes #143) 2026-03-01 23:22:19 +01:00

Merged #152 Split Dockerfile into lint + build stages for faster CI feedback 2026-03-01 21:19:22 +01:00

Merged #148 tidy 2026-02-26 13:55:29 +01:00

Merged #147 Fix dashboard CSRFField crash (closes #146) 2026-02-26 12:07:43 +01:00

Merged #131 fix: simplify CI to docker build only (closes #130) 2026-02-26 11:53:14 +01:00

Merged #126 Fix 1.0 audit bugs (closes #120, closes #121, closes #122, closes #123, closes #124, closes #125) 2026-02-26 11:52:55 +01:00

Merged #129 Refactor: break up app.js into smaller modules 2026-02-26 10:59:03 +01:00

Merged #127 fix: use imageID in createAndStartContainer (closes #124) 2026-02-23 20:48:23 +01:00

Merged #119 fix: pin all external refs to cryptographic identity (closes #118) 2026-02-23 20:48:09 +01:00

Merged #115 fix: disable API v1 write methods (closes #112) 2026-02-20 14:35:13 +01:00

Merged #109 fix: resolve 1.0 audit bugs (closes #104, #105, #106, #107, #108) 2026-02-20 13:47:12 +01:00

Merged #100 ci: add Gitea Actions workflow for make check (closes #96) 2026-02-20 12:19:29 +01:00

Merged #95 chore: code cleanup and best practices (closes #45) 2026-02-20 11:59:32 +01:00

Merged #91 fix: validate repo URL format on app creation (closes #88) 2026-02-20 11:58:49 +01:00

Merged #102 Fix all main branch lint issues (closes #101) 2026-02-20 11:42:35 +01:00

Merged #99 revert: undo PR #98 (CI + linter config changes) 2026-02-20 05:37:50 +01:00

Merged #98 feat: add Gitea Actions CI for make check (closes #96) 2026-02-20 05:33:24 +01:00

Merged #93 fix: clean up orphan resources on deploy cancellation (closes #89) 2026-02-20 05:22:59 +01:00

Merged #92 fix: restrict CORS to configured origins (closes #40) 2026-02-20 05:11:33 +01:00

Merged #74 feat: add JSON API with token auth (closes #69) 2026-02-16 09:51:48 +01:00

Merged #65 chore: remove TODO.md — all items tracked as Gitea issues 2026-02-16 09:51:14 +01:00

Merged #77 feat: edit existing env vars, labels, and volume mounts (closes #67) 2026-02-16 09:33:47 +01:00

Merged #55 Update TODO.md with current status (closes #54) 2026-02-16 09:26:16 +01:00

Merged #75 feat: deployment rollback to previous image (closes #71) 2026-02-16 09:25:34 +01:00

Merged #73 feat: add user-facing deployment cancel endpoint (closes #66) 2026-02-16 09:19:00 +01:00

Merged #52 fix: cancel in-progress deploy when webhook triggers new deploy (closes #38) 2026-02-16 09:06:41 +01:00

Merged #51 Fix all golangci-lint issues (closes #32) 2026-02-16 09:06:09 +01:00

Merged #50 fix: set DestroySession MaxAge to -1 instead of -1*time.Second (closes #39) 2026-02-16 07:09:26 +01:00

Merged #49 Add server-side app name validation (closes #37) 2026-02-16 07:07:48 +01:00

Merged #48 fix: buffer template execution to prevent corrupt HTML responses (closes #42) 2026-02-16 07:05:45 +01:00

Merged #46 perf: adaptive frontend polling intervals (closes #43) 2026-02-16 07:03:47 +01:00

Merged #47 fix: only trust proxy headers from RFC1918/loopback sources (closes #44) 2026-02-16 07:03:23 +01:00

Merged #34 Fix all golangci-lint issues (closes #32) 2026-02-16 06:57:20 +01:00

Merged #33 fix: validate and clamp container log tail parameter (closes #24) 2026-02-16 06:51:35 +01:00

Merged #31 fix: prevent setup endpoint race condition (closes #26) 2026-02-16 06:45:02 +01:00

Merged #29 Fix command injection in git clone arguments (closes #18) 2026-02-16 06:38:30 +01:00

Merged #30 fix: validate port range 1-65535 in parsePortValues (closes #25) 2026-02-16 06:36:44 +01:00

Merged #9 Wait for final log flush before closing deploymentLogWriter (closes #4) 2026-02-16 06:29:18 +01:00

Merged #14 Add rate limiting to login endpoint to prevent brute force (closes #12) 2026-02-16 06:15:49 +01:00

Merged #28 Add ownership verification on resource deletion (closes #19) 2026-02-16 06:12:52 +01:00

Merged #10 Set Secure flag on session cookie in production mode (closes #5) 2026-02-16 05:58:22 +01:00

Merged #7 Clean up Docker container when deleting an app (closes #2) 2026-02-16 05:56:57 +01:00

Merged #6 Limit webhook request body size to 1MB to prevent DoS (closes #1) 2026-02-16 05:56:14 +01:00

Merged #15 Use hashed webhook secrets for constant-time comparison (closes #13) 2026-02-16 05:55:46 +01:00

Merged #16 Add CSRF protection to state-changing POST endpoints (closes #11) 2026-02-16 05:53:38 +01:00

Merged #27 rewrite log viewer panes (closes #17) 2026-02-16 05:51:12 +01:00

1 Pull request proposed by 1 user

Proposed #158 feat: monolithic env var editing with bulk save 2026-03-06 12:38:33 +01:00

93 Issues closed from 2 users

Closed #85 FEATURE: Webhook event history UI 2026-03-10 18:54:28 +01:00

Closed #136 Makefile missing required targets: fmt-check, docker, hooks 2026-03-10 01:09:16 +01:00

Closed #137 make test missing 30-second timeout 2026-03-10 01:09:16 +01:00

Closed #157 bug: app slack/ntfy settings are not saved or properly displayed on edit 2026-03-10 01:01:33 +01:00

Closed #132 Missing .gitignore file 2026-03-03 18:07:45 +01:00

Closed #133 Missing .editorconfig file 2026-03-03 18:07:45 +01:00

Closed #134 Missing REPO_POLICIES.md 2026-03-03 18:07:45 +01:00

Closed #135 Missing .dockerignore file 2026-03-03 18:07:45 +01:00

Closed #153 Dockerfile lint stage is skipped by BuildKit (unreferenced stage) 2026-03-01 23:46:53 +01:00

Closed #151 Split Dockerfile into lint + build stages for faster CI feedback 2026-03-01 21:19:22 +01:00

Closed #145 POLICY: make fmt uses npx instead of yarn for prettier 2026-02-26 14:58:00 +01:00

Closed #144 POLICY: make test missing 30-second timeout 2026-02-26 14:57:58 +01:00

Closed #143 POLICY: Go module path should be sneak.berlin/go/upaas 2026-02-26 14:57:57 +01:00

Closed #142 POLICY: Makefile missing required targets (fmt-check, docker, hooks) 2026-02-26 14:57:56 +01:00

Closed #141 POLICY: Missing REPO_POLICIES.md in repo root 2026-02-26 14:57:54 +01:00

Closed #140 POLICY: Missing .dockerignore 2026-02-26 14:57:53 +01:00

Closed #139 POLICY: Missing .editorconfig 2026-02-26 14:57:52 +01:00

Closed #138 POLICY: Missing .gitignore 2026-02-26 14:57:50 +01:00

Closed #86 FEATURE: Settings page (webhook secret, SSH public key) 2026-02-26 14:56:53 +01:00

Closed #146 CRITICAL: error in template prevents login 2026-02-26 12:07:43 +01:00

Closed #130 the gitea action doesn't comply with repo policies. 2026-02-26 11:53:14 +01:00

Closed #125 LOW: applyMigration deferred rollback skipped when Commit() fails 2026-02-26 11:52:55 +01:00

Closed #123 LOW: GetBuildDir parameter named appID but always called with app.Name 2026-02-26 11:52:55 +01:00

Closed #122 HIGH: No size limit on deployment logs stored in SQLite 2026-02-26 11:52:55 +01:00

Closed #121 HIGH: Template rendering bypass in HandleAppCreate/HandleAppUpdate can produce partial HTML 2026-02-26 11:52:55 +01:00

Closed #120 CRITICAL: docker-compose.yml missing HOST_DATA_DIR — git clone fails in containerized deployment 2026-02-26 11:52:55 +01:00

Closed #128 Refactor: break up app.js into smaller modules 2026-02-26 10:59:03 +01:00

Closed #124 LOW: createAndStartContainer has unused imageID parameter 2026-02-23 20:48:23 +01:00

Closed #118 CRITICAL: rce in docker build 2026-02-23 20:48:09 +01:00

Closed #112 CRITICAL: API v1 routes use cookie auth without CSRF protection — cross-site request forgery 2026-02-20 14:35:13 +01:00

Closed #110 CRITICAL: Deployed containers have no security constraints (capabilities, seccomp, resource limits) 2026-02-20 14:29:15 +01:00

Closed #111 CRITICAL: Volume mounts allow access to any host path (Docker socket, /etc/shadow, etc.) 2026-02-20 14:28:44 +01:00

Closed #114 CRITICAL: API exposes webhook secret and SSH private key in app detail response 2026-02-20 14:27:50 +01:00

Closed #113 CRITICAL: Port mappings bind to 0.0.0.0 with no restriction on privileged ports or conflicts 2026-02-20 14:27:43 +01:00

Closed #108 BUG: SetupRequired middleware blocks /health, /s/*, and /api/* before initial setup 2026-02-20 13:47:14 +01:00

Closed #107 BUG: HandleVolumeAdd missing path validation — path traversal possible on volume creation 2026-02-20 13:47:14 +01:00

Closed #106 BUG: API delete endpoint does not stop/remove Docker container — orphaned containers 2026-02-20 13:47:14 +01:00

Closed #105 BUG: API deploy handler uses request context — deployment cancelled on client disconnect 2026-02-20 13:47:14 +01:00

Closed #104 BUG: HandleEnvVarDelete uses wrong route parameter name — env var deletion always 404s 2026-02-20 13:47:12 +01:00

Closed #103 Add branch protection to main branch 2026-02-20 12:22:09 +01:00

Closed #96 needs actions for code standard checks 2026-02-20 12:19:30 +01:00

Closed #45 Code cleanup: minor best practice improvements for 1.0 2026-02-20 11:59:32 +01:00

Closed #88 1.0: Validate repo URL format on app creation 2026-02-20 11:58:49 +01:00

Closed #87 1.0: API token authentication (bearer token support) 2026-02-20 11:43:11 +01:00

Closed #101 CRITICAL: main branch build failure 2026-02-20 11:42:35 +01:00

Closed #89 1.0: Cancelled deployments may leave orphan Docker resources 2026-02-20 05:22:59 +01:00

Closed #40 SECURITY: CORS allows all origins (*) — review for CSRF implications 2026-02-19 22:46:14 +01:00

Closed #82 FEATURE: Multi-user support with roles 2026-02-19 22:44:49 +01:00

Closed #83 FEATURE: Scheduled deployments 2026-02-19 22:44:32 +01:00

Closed #90 1.0: Improve test coverage for HTTP handlers 2026-02-19 22:42:14 +01:00

Closed #64 Observability improvements (structured logging, metrics, audit log) 2026-02-19 22:40:00 +01:00

Closed #63 Multi-user support with roles 2026-02-19 22:39:59 +01:00

Closed #61 GitHub/GitLab webhook support 2026-02-19 22:39:58 +01:00

Closed #60 Webhook event history UI 2026-02-19 22:39:58 +01:00

Closed #59 Resource limits - CPU/memory (Phase 4.2) 2026-02-19 22:39:57 +01:00

Closed #58 Deployment rollback (Phase 3.2) 2026-02-19 22:39:48 +01:00

Closed #62 Real-time deployment log streaming (WebSocket/SSE) 2026-02-19 22:39:48 +01:00

Closed #57 Edit existing env vars, labels, and volumes (Phase 3.1) 2026-02-19 22:39:47 +01:00

Closed #56 JSON API (Phase 4.1) 2026-02-19 22:39:46 +01:00

Closed #69 FEATURE: JSON API (/api/v1) 2026-02-16 09:51:48 +01:00

Closed #67 FEATURE: Edit existing env vars, labels, and volume mounts 2026-02-16 09:33:49 +01:00

Closed #54 update TODO.md 2026-02-16 09:26:17 +01:00

Closed #71 FEATURE: Deployment rollback 2026-02-16 09:25:35 +01:00

Closed #70 FEATURE: Real-time deployment log streaming (WebSocket/SSE) 2026-02-16 09:20:26 +01:00

Closed #66 FEATURE: User-facing deployment cancellation endpoint 2026-02-16 09:19:01 +01:00

Closed #38 BUG: Race condition between manual deploy and webhook deploy on same app 2026-02-16 09:06:41 +01:00

Closed #39 BUG: DestroySession sets MaxAge to -1 second instead of -1 2026-02-16 07:09:26 +01:00

Closed #35 SECURITY: No validation on volume host paths allows arbitrary filesystem access 2026-02-16 07:09:03 +01:00

Closed #37 BUG: App name not validated server-side, only client-side HTML pattern 2026-02-16 07:07:48 +01:00

Closed #42 BUG: Template execution errors result in corrupt HTML responses 2026-02-16 07:05:45 +01:00

Closed #43 PERF: Frontend polls 4 endpoints every 1 second regardless of deployment state 2026-02-16 07:03:47 +01:00

Closed #44 SECURITY: realIP trusts X-Forwarded-For/X-Real-IP headers unconditionally 2026-02-16 07:03:23 +01:00

Closed #41 SECURITY: Error messages from Go errors displayed unescaped could leak internals 2026-02-16 07:01:53 +01:00

Closed #36 SECURITY: Webhook secret exposed in plain text in app detail page and request logs 2026-02-16 07:01:37 +01:00

Closed #32 Fix all golangci-lint issues 2026-02-16 06:57:20 +01:00

Closed #24 LOW: Container log tail parameter not validated — passed directly to Docker API 2026-02-16 06:51:35 +01:00

Closed #26 MEDIUM: Setup endpoint race condition — multiple admin users can be created 2026-02-16 06:45:02 +01:00

Closed #18 CRITICAL: Command injection via branch/repoURL/commitSHA in git clone 2026-02-16 06:38:30 +01:00

Closed #25 MEDIUM: Port validation allows ports above 65535 2026-02-16 06:36:44 +01:00

Closed #22 MEDIUM: Session cookie missing Secure flag — transmitted over HTTP 2026-02-16 06:34:21 +01:00

Closed #23 MEDIUM: deploymentLogWriter.Close() doesn't wait for flush goroutine — data loss 2026-02-16 06:33:48 +01:00

Closed #21 MEDIUM: Unbounded request body read in webhook handler — denial of service 2026-02-16 06:32:16 +01:00

Closed #4 Bug: deploymentLogWriter.Close() does not wait for final flush to complete 2026-02-16 06:29:18 +01:00

Closed #3 Bug: EnvVar/Label/Volume/Port deletion does not verify resource belongs to the app in URL (IDOR) 2026-02-16 06:28:38 +01:00

Closed #12 Bug: No rate limiting on login endpoint allows brute force 2026-02-16 06:15:49 +01:00

Closed #19 HIGH: Missing ownership verification on env var, label, volume, and port deletion 2026-02-16 06:12:53 +01:00

Closed #5 Bug: Session cookie missing Secure flag, sent over HTTP in production 2026-02-16 05:58:22 +01:00

Closed #2 Bug: Deleting an app does not stop/remove its Docker container 2026-02-16 05:56:57 +01:00

Closed #1 Bug: Webhook endpoint reads request body without size limit (DoS vector) 2026-02-16 05:56:14 +01:00

Closed #13 Bug: Webhook secret lookup via SQL is not constant-time (timing side-channel) 2026-02-16 05:55:46 +01:00

Closed #11 Bug: No CSRF protection on state-changing POST endpoints 2026-02-16 05:53:38 +01:00

Closed #17 Log viewer panes are not scrollable and build log does not auto-scroll 2026-02-16 05:51:12 +01:00

Closed #20 HIGH: Arbitrary host path mount via volume add — no path validation 2026-02-16 05:48:18 +01:00

102 Issues created by 2 users

Opened #1 Bug: Webhook endpoint reads request body without size limit (DoS vector) 2026-02-08 21:01:04 +01:00

Opened #2 Bug: Deleting an app does not stop/remove its Docker container 2026-02-08 21:01:04 +01:00

Opened #3 Bug: EnvVar/Label/Volume/Port deletion does not verify resource belongs to the app in URL (IDOR) 2026-02-08 21:01:05 +01:00

Opened #4 Bug: deploymentLogWriter.Close() does not wait for final flush to complete 2026-02-08 21:01:06 +01:00

Opened #5 Bug: Session cookie missing Secure flag, sent over HTTP in production 2026-02-08 21:01:06 +01:00

Opened #11 Bug: No CSRF protection on state-changing POST endpoints 2026-02-15 23:01:49 +01:00

Opened #12 Bug: No rate limiting on login endpoint allows brute force 2026-02-15 23:01:49 +01:00

Opened #13 Bug: Webhook secret lookup via SQL is not constant-time (timing side-channel) 2026-02-15 23:01:50 +01:00

Opened #17 Log viewer panes are not scrollable and build log does not auto-scroll 2026-02-16 05:45:53 +01:00

Opened #18 CRITICAL: Command injection via branch/repoURL/commitSHA in git clone 2026-02-16 05:47:09 +01:00

Opened #19 HIGH: Missing ownership verification on env var, label, volume, and port deletion 2026-02-16 05:47:10 +01:00

Opened #20 HIGH: Arbitrary host path mount via volume add — no path validation 2026-02-16 05:47:10 +01:00

Opened #21 MEDIUM: Unbounded request body read in webhook handler — denial of service 2026-02-16 05:47:11 +01:00

Opened #22 MEDIUM: Session cookie missing Secure flag — transmitted over HTTP 2026-02-16 05:47:12 +01:00

Opened #23 MEDIUM: deploymentLogWriter.Close() doesn't wait for flush goroutine — data loss 2026-02-16 05:47:12 +01:00

Opened #24 LOW: Container log tail parameter not validated — passed directly to Docker API 2026-02-16 05:47:13 +01:00

Opened #25 MEDIUM: Port validation allows ports above 65535 2026-02-16 05:47:14 +01:00

Opened #26 MEDIUM: Setup endpoint race condition — multiple admin users can be created 2026-02-16 05:47:14 +01:00

Opened #32 Fix all golangci-lint issues 2026-02-16 06:46:18 +01:00

Opened #35 SECURITY: No validation on volume host paths allows arbitrary filesystem access 2026-02-16 06:56:31 +01:00

Opened #36 SECURITY: Webhook secret exposed in plain text in app detail page and request logs 2026-02-16 06:56:32 +01:00

Opened #37 BUG: App name not validated server-side, only client-side HTML pattern 2026-02-16 06:56:32 +01:00

Opened #38 BUG: Race condition between manual deploy and webhook deploy on same app 2026-02-16 06:56:33 +01:00

Opened #39 BUG: DestroySession sets MaxAge to -1 second instead of -1 2026-02-16 06:56:34 +01:00

Opened #40 SECURITY: CORS allows all origins (*) — review for CSRF implications 2026-02-16 06:56:34 +01:00

Opened #41 SECURITY: Error messages from Go errors displayed unescaped could leak internals 2026-02-16 06:56:35 +01:00

Opened #42 BUG: Template execution errors result in corrupt HTML responses 2026-02-16 06:56:36 +01:00

Opened #43 PERF: Frontend polls 4 endpoints every 1 second regardless of deployment state 2026-02-16 06:56:36 +01:00

Opened #44 SECURITY: realIP trusts X-Forwarded-For/X-Real-IP headers unconditionally 2026-02-16 06:56:37 +01:00

Opened #45 Code cleanup: minor best practice improvements for 1.0 2026-02-16 06:57:15 +01:00

Opened #54 update TODO.md 2026-02-16 09:09:49 +01:00

Opened #56 JSON API (Phase 4.1) 2026-02-16 09:12:10 +01:00

Opened #57 Edit existing env vars, labels, and volumes (Phase 3.1) 2026-02-16 09:12:11 +01:00

Opened #58 Deployment rollback (Phase 3.2) 2026-02-16 09:12:12 +01:00

Opened #59 Resource limits - CPU/memory (Phase 4.2) 2026-02-16 09:12:12 +01:00

Opened #60 Webhook event history UI 2026-02-16 09:12:13 +01:00

Opened #61 GitHub/GitLab webhook support 2026-02-16 09:12:14 +01:00

Opened #62 Real-time deployment log streaming (WebSocket/SSE) 2026-02-16 09:12:14 +01:00

Opened #63 Multi-user support with roles 2026-02-16 09:12:15 +01:00

Opened #64 Observability improvements (structured logging, metrics, audit log) 2026-02-16 09:12:16 +01:00

Opened #66 FEATURE: User-facing deployment cancellation endpoint 2026-02-16 09:12:45 +01:00

Opened #67 FEATURE: Edit existing env vars, labels, and volume mounts 2026-02-16 09:12:45 +01:00

Opened #68 FEATURE: GitHub and GitLab webhook support 2026-02-16 09:12:46 +01:00

Opened #69 FEATURE: JSON API (/api/v1) 2026-02-16 09:12:46 +01:00

Opened #70 FEATURE: Real-time deployment log streaming (WebSocket/SSE) 2026-02-16 09:12:46 +01:00

Opened #71 FEATURE: Deployment rollback 2026-02-16 09:12:46 +01:00

Opened #72 FEATURE: CPU/memory resource limits per app 2026-02-16 09:12:46 +01:00

Opened #79 FEATURE: Backup/restore of app configurations 2026-02-16 09:35:10 +01:00

Opened #80 FEATURE: Private Docker registry authentication 2026-02-16 09:35:10 +01:00

Opened #81 FEATURE: Custom health check commands per app 2026-02-16 09:35:10 +01:00

Opened #82 FEATURE: Multi-user support with roles 2026-02-16 09:35:10 +01:00

Opened #83 FEATURE: Scheduled deployments 2026-02-16 09:35:10 +01:00

Opened #84 FEATURE: Observability improvements (structured logging, metrics, audit log) 2026-02-16 09:35:10 +01:00

Opened #85 FEATURE: Webhook event history UI 2026-02-16 09:35:10 +01:00

Opened #86 FEATURE: Settings page (webhook secret, SSH public key) 2026-02-16 09:35:10 +01:00

Opened #87 1.0: API token authentication (bearer token support) 2026-02-19 22:39:46 +01:00

Opened #88 1.0: Validate repo URL format on app creation 2026-02-19 22:39:49 +01:00

Opened #89 1.0: Cancelled deployments may leave orphan Docker resources 2026-02-19 22:39:50 +01:00

Opened #90 1.0: Improve test coverage for HTTP handlers 2026-02-19 22:39:50 +01:00

Opened #96 needs actions for code standard checks 2026-02-20 05:21:49 +01:00

Opened #101 CRITICAL: main branch build failure 2026-02-20 11:39:42 +01:00

Opened #103 Add branch protection to main branch 2026-02-20 11:59:56 +01:00

Opened #104 BUG: HandleEnvVarDelete uses wrong route parameter name — env var deletion always 404s 2026-02-20 12:27:58 +01:00

Opened #105 BUG: API deploy handler uses request context — deployment cancelled on client disconnect 2026-02-20 12:28:13 +01:00

Opened #106 BUG: API delete endpoint does not stop/remove Docker container — orphaned containers 2026-02-20 12:28:26 +01:00

Opened #107 BUG: HandleVolumeAdd missing path validation — path traversal possible on volume creation 2026-02-20 12:28:40 +01:00

Opened #108 BUG: SetupRequired middleware blocks /health, /s/*, and /api/* before initial setup 2026-02-20 12:28:56 +01:00

Opened #110 CRITICAL: Deployed containers have no security constraints (capabilities, seccomp, resource limits) 2026-02-20 13:50:16 +01:00

Opened #111 CRITICAL: Volume mounts allow access to any host path (Docker socket, /etc/shadow, etc.) 2026-02-20 13:50:31 +01:00

Opened #112 CRITICAL: API v1 routes use cookie auth without CSRF protection — cross-site request forgery 2026-02-20 13:50:46 +01:00

Opened #113 CRITICAL: Port mappings bind to 0.0.0.0 with no restriction on privileged ports or conflicts 2026-02-20 13:50:59 +01:00

Opened #114 CRITICAL: API exposes webhook secret and SSH private key in app detail response 2026-02-20 13:51:12 +01:00

Opened #118 CRITICAL: rce in docker build 2026-02-20 19:43:09 +01:00

Opened #120 CRITICAL: docker-compose.yml missing HOST_DATA_DIR — git clone fails in containerized deployment 2026-02-21 09:51:40 +01:00

Opened #121 HIGH: Template rendering bypass in HandleAppCreate/HandleAppUpdate can produce partial HTML 2026-02-21 09:51:51 +01:00

Opened #122 HIGH: No size limit on deployment logs stored in SQLite 2026-02-21 09:52:03 +01:00

Opened #123 LOW: GetBuildDir parameter named appID but always called with app.Name 2026-02-21 09:52:19 +01:00

Opened #124 LOW: createAndStartContainer has unused imageID parameter 2026-02-21 09:52:27 +01:00

Opened #125 LOW: applyMigration deferred rollback skipped when Commit() fails 2026-02-21 09:52:36 +01:00

Opened #128 Refactor: break up app.js into smaller modules 2026-02-23 20:51:05 +01:00

Opened #130 the gitea action doesn't comply with repo policies. 2026-02-26 11:08:25 +01:00

Opened #132 Missing .gitignore file 2026-02-26 11:10:07 +01:00

Opened #133 Missing .editorconfig file 2026-02-26 11:10:08 +01:00

Opened #134 Missing REPO_POLICIES.md 2026-02-26 11:10:09 +01:00

Opened #135 Missing .dockerignore file 2026-02-26 11:10:10 +01:00

Opened #136 Makefile missing required targets: fmt-check, docker, hooks 2026-02-26 11:10:10 +01:00

Opened #137 make test missing 30-second timeout 2026-02-26 11:10:11 +01:00

Opened #138 POLICY: Missing .gitignore 2026-02-26 11:10:38 +01:00

Opened #139 POLICY: Missing .editorconfig 2026-02-26 11:10:39 +01:00

Opened #140 POLICY: Missing .dockerignore 2026-02-26 11:10:39 +01:00

Opened #141 POLICY: Missing REPO_POLICIES.md in repo root 2026-02-26 11:10:40 +01:00

Opened #142 POLICY: Makefile missing required targets (fmt-check, docker, hooks) 2026-02-26 11:10:41 +01:00

Opened #143 POLICY: Go module path should be sneak.berlin/go/upaas 2026-02-26 11:10:41 +01:00

Opened #144 POLICY: make test missing 30-second timeout 2026-02-26 11:10:42 +01:00

Opened #145 POLICY: make fmt uses npx instead of yarn for prettier 2026-02-26 11:10:43 +01:00

Opened #146 CRITICAL: error in template prevents login 2026-02-26 11:54:05 +01:00

Opened #151 Split Dockerfile into lint + build stages for faster CI feedback 2026-03-01 19:27:09 +01:00

Opened #153 Dockerfile lint stage is skipped by BuildKit (unreferenced stage) 2026-03-01 23:21:08 +01:00

Opened #156 getting a 404 trying to change env vars from app page 2026-03-06 12:29:18 +01:00

Opened #157 bug: app slack/ntfy settings are not saved or properly displayed on edit 2026-03-06 12:36:23 +01:00

Opened #161 Run make fmt on JS static files 2026-03-10 00:59:58 +01:00

Opened #163 Redesign env var editing to use monolithic list approach 2026-03-10 01:09:00 +01:00