Merge pull request 'fix: resolve 1.0 audit bugs (closes #104, #105, #106, #107, #108)' (#109) from fix/1.0-audit-bugs into main

Reviewed-on: #109

.gitea/workflows/check.yml

@@ -0,0 +1,26 @@
+name: Check
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
+        with:
+          go-version-file: go.mod
+
+      - name: Install golangci-lint
+        run: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@5d1e709b7be35cb2025444e19de266b056b7b7ee # v2.10.1
+
+      - name: Install goimports
+        run: go install golang.org/x/tools/cmd/goimports@009367f5c17a8d4c45a961a3a509277190a9a6f0 # v0.42.0
+
+      - name: Run make check
+        run: make check

internal/handlers/api.go

@@ -1,6 +1,7 @@
 package handlers
 
 import (
+	"context"
 	"encoding/json"
 	"net/http"
 	"strconv"
@@ -175,9 +176,8 @@ func (h *Handlers) HandleAPIGetApp() http.HandlerFunc {
 	}
 }
 
-// HandleAPICreateApp returns a handler that creates a new app.
+// apiCreateRequest is the JSON body for creating an app via the API.
-func (h *Handlers) HandleAPICreateApp() http.HandlerFunc {
+type apiCreateRequest struct {
-	type createRequest struct {
 	Name           string `json:"name"`
 	RepoURL        string `json:"repoUrl"`
 	Branch         string `json:"branch"`
@@ -185,10 +185,32 @@ func (h *Handlers) HandleAPICreateApp() http.HandlerFunc {
 	DockerNetwork  string `json:"dockerNetwork"`
 	NtfyTopic      string `json:"ntfyTopic"`
 	SlackWebhook   string `json:"slackWebhook"`
+}
+
+// validateCreateRequest validates the fields of an API create app request.
+// Returns an error message string or empty string if valid.
+func validateCreateRequest(req *apiCreateRequest) string {
+	if req.Name == "" || req.RepoURL == "" {
+		return "name and repo_url are required"
 	}
 
+	nameErr := validateAppName(req.Name)
+	if nameErr != nil {
+		return "invalid app name: " + nameErr.Error()
+	}
+
+	repoURLErr := validateRepoURL(req.RepoURL)
+	if repoURLErr != nil {
+		return "invalid repository URL: " + repoURLErr.Error()
+	}
+
+	return ""
+}
+
+// HandleAPICreateApp returns a handler that creates a new app.
+func (h *Handlers) HandleAPICreateApp() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
-		var req createRequest
+		var req apiCreateRequest
 
 		decodeErr := json.NewDecoder(request.Body).Decode(&req)
 		if decodeErr != nil {
@@ -199,27 +221,9 @@ func (h *Handlers) HandleAPICreateApp() http.HandlerFunc {
 			return
 		}
 
-		if req.Name == "" || req.RepoURL == "" {
+		if errMsg := validateCreateRequest(&req); errMsg != "" {
 			h.respondJSON(writer, request,
-				map[string]string{"error": "name and repo_url are required"},
+				map[string]string{"error": errMsg},
-				http.StatusBadRequest)
-
-			return
-		}
-
-		nameErr := validateAppName(req.Name)
-		if nameErr != nil {
-			h.respondJSON(writer, request,
-				map[string]string{"error": "invalid app name: " + nameErr.Error()},
-				http.StatusBadRequest)
-
-			return
-		}
-
-		repoURLErr := validateRepoURL(req.RepoURL)
-		if repoURLErr != nil {
-			h.respondJSON(writer, request,
-				map[string]string{"error": "invalid repository URL: " + repoURLErr.Error()},
 				http.StatusBadRequest)
 
 			return
@@ -269,6 +273,9 @@ func (h *Handlers) HandleAPIDeleteApp() http.HandlerFunc {
 			return
 		}
 
+		// Stop and remove the Docker container before deleting the DB record
+		h.cleanupContainer(request.Context(), appID, application.Name)
+
 		deleteErr := h.appService.DeleteApp(request.Context(), application)
 		if deleteErr != nil {
 			h.log.Error("api: failed to delete app", "error", deleteErr)
@@ -344,7 +351,11 @@ func (h *Handlers) HandleAPITriggerDeploy() http.HandlerFunc {
 			return
 		}
 
-		deployErr := h.deploy.Deploy(request.Context(), application, nil, true)
+		// Use a detached context so the deployment continues even if the
+		// HTTP client disconnects.
+		deployCtx := context.WithoutCancel(request.Context())
+
+		deployErr := h.deploy.Deploy(deployCtx, application, nil, true)
 		if deployErr != nil {
 			h.log.Error("api: failed to trigger deploy", "error", deployErr)
 			h.respondJSON(writer, request,

internal/handlers/app.go

@@ -518,7 +518,7 @@ func (h *Handlers) HandleAppLogs() http.HandlerFunc {
 			return
 		}
 
-		_, _ = writer.Write([]byte(logs)) // #nosec G705 -- Content-Type is text/plain, no XSS risk
+		_, _ = writer.Write([]byte(SanitizeLogs(logs))) // #nosec G705 -- logs sanitized, Content-Type is text/plain
 	}
 }
 
@@ -553,7 +553,7 @@ func (h *Handlers) HandleDeploymentLogsAPI() http.HandlerFunc {
 
 		logs := ""
 		if deployment.Logs.Valid {
-			logs = deployment.Logs.String
+			logs = SanitizeLogs(deployment.Logs.String)
 		}
 
 		response := map[string]any{
@@ -680,7 +680,7 @@ func (h *Handlers) HandleContainerLogsAPI() http.HandlerFunc {
 		}
 
 		response := map[string]any{
-			"logs":   logs,
+			"logs":   SanitizeLogs(logs),
 			"status": status,
 		}
 
@@ -916,7 +916,7 @@ func (h *Handlers) HandleEnvVarAdd() http.HandlerFunc {
 func (h *Handlers) HandleEnvVarDelete() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
 		appID := chi.URLParam(request, "id")
-		envVarIDStr := chi.URLParam(request, "envID")
+		envVarIDStr := chi.URLParam(request, "varID")
 
 		envVarID, parseErr := strconv.ParseInt(envVarIDStr, 10, 64)
 		if parseErr != nil {
@@ -1022,6 +1022,14 @@ func (h *Handlers) HandleVolumeAdd() http.HandlerFunc {
 			return
 		}
 
+		pathErr := validateVolumePaths(hostPath, containerPath)
+		if pathErr != nil {
+			h.log.Error("invalid volume path", "error", pathErr)
+			http.Redirect(writer, request, "/apps/"+application.ID, http.StatusSeeOther)
+
+			return
+		}
+
 		volume := models.NewVolume(h.db)
 		volume.AppID = application.ID
 		volume.HostPath = hostPath

internal/handlers/export_test.go

@@ -0,0 +1,6 @@
+package handlers
+
+// ValidateRepoURLForTest exports validateRepoURL for testing.
+func ValidateRepoURLForTest(repoURL string) error {
+	return validateRepoURL(repoURL)
+}

internal/handlers/handlers_test.go

@@ -2,6 +2,7 @@ package handlers_test
 
 import (
 	"context"
+	"encoding/json"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
@@ -564,7 +565,7 @@ func TestDeleteEnvVarOwnershipVerification(t *testing.T) { //nolint:dupl // inte
 			return "/apps/" + appID + "/env/" + strconv.FormatInt(resourceID, 10) + "/delete"
 		},
 		chiParams: func(appID string, resourceID int64) map[string]string {
-			return map[string]string{"id": appID, "envID": strconv.FormatInt(resourceID, 10)}
+			return map[string]string{"id": appID, "varID": strconv.FormatInt(resourceID, 10)}
 		},
 		handler: func(h *handlers.Handlers) http.HandlerFunc { return h.HandleEnvVarDelete() },
 		verifyFn: func(t *testing.T, tc *testContext, resourceID int64) {
@@ -695,6 +696,180 @@ func TestDeletePortOwnershipVerification(t *testing.T) {
 	assert.NotNil(t, found, "port should still exist after IDOR attempt")
 }
 
+// TestHandleEnvVarDeleteUsesCorrectRouteParam verifies that HandleEnvVarDelete
+// reads the "varID" chi URL parameter (matching the route definition {varID}),
+// not a mismatched name like "envID".
+func TestHandleEnvVarDeleteUsesCorrectRouteParam(t *testing.T) {
+	t.Parallel()
+
+	testCtx := setupTestHandlers(t)
+
+	createdApp := createTestApp(t, testCtx, "envdelete-param-app")
+
+	envVar := models.NewEnvVar(testCtx.database)
+	envVar.AppID = createdApp.ID
+	envVar.Key = "DELETE_ME"
+	envVar.Value = "gone"
+	require.NoError(t, envVar.Save(context.Background()))
+
+	// Use chi router with the real route pattern to test param name
+	r := chi.NewRouter()
+	r.Post("/apps/{id}/env-vars/{varID}/delete", testCtx.handlers.HandleEnvVarDelete())
+
+	request := httptest.NewRequest(
+		http.MethodPost,
+		"/apps/"+createdApp.ID+"/env-vars/"+strconv.FormatInt(envVar.ID, 10)+"/delete",
+		nil,
+	)
+	recorder := httptest.NewRecorder()
+
+	r.ServeHTTP(recorder, request)
+
+	assert.Equal(t, http.StatusSeeOther, recorder.Code)
+
+	// Verify the env var was actually deleted
+	found, findErr := models.FindEnvVar(context.Background(), testCtx.database, envVar.ID)
+	require.NoError(t, findErr)
+	assert.Nil(t, found, "env var should be deleted when using correct route param")
+}
+
+// TestHandleVolumeAddValidatesPaths verifies that HandleVolumeAdd validates
+// host and container paths (same as HandleVolumeEdit).
+func TestHandleVolumeAddValidatesPaths(t *testing.T) {
+	t.Parallel()
+
+	testCtx := setupTestHandlers(t)
+
+	createdApp := createTestApp(t, testCtx, "volume-validate-app")
+
+	tests := []struct {
+		name          string
+		hostPath      string
+		containerPath string
+		shouldCreate  bool
+	}{
+		{"relative host path rejected", "relative/path", "/container", false},
+		{"relative container path rejected", "/host", "relative/path", false},
+		{"unclean host path rejected", "/host/../etc", "/container", false},
+		{"valid paths accepted", "/host/data", "/container/data", true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			form := url.Values{}
+			form.Set("host_path", tt.hostPath)
+			form.Set("container_path", tt.containerPath)
+
+			request := httptest.NewRequest(
+				http.MethodPost,
+				"/apps/"+createdApp.ID+"/volumes",
+				strings.NewReader(form.Encode()),
+			)
+			request.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+			request = addChiURLParams(request, map[string]string{"id": createdApp.ID})
+
+			recorder := httptest.NewRecorder()
+
+			handler := testCtx.handlers.HandleVolumeAdd()
+			handler.ServeHTTP(recorder, request)
+
+			assert.Equal(t, http.StatusSeeOther, recorder.Code)
+
+			// Check if volume was created by listing volumes
+			volumes, _ := createdApp.GetVolumes(context.Background())
+			found := false
+
+			for _, v := range volumes {
+				if v.HostPath == tt.hostPath && v.ContainerPath == tt.containerPath {
+					found = true
+					// Clean up for isolation
+					_ = v.Delete(context.Background())
+				}
+			}
+
+			if tt.shouldCreate {
+				assert.True(t, found, "volume should be created for valid paths")
+			} else {
+				assert.False(t, found, "volume should NOT be created for invalid paths")
+			}
+		})
+	}
+}
+
+// TestSetupRequiredExemptsHealthAndStaticAndAPI verifies that the SetupRequired
+// middleware allows /health, /s/*, and /api/* paths through even when setup is required.
+func TestSetupRequiredExemptsHealthAndStaticAndAPI(t *testing.T) {
+	t.Parallel()
+
+	testCtx := setupTestHandlers(t)
+
+	// No user created, so setup IS required
+	mw := testCtx.middleware.SetupRequired()
+
+	okHandler := http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		w.WriteHeader(http.StatusOK)
+		_, _ = w.Write([]byte("OK"))
+	})
+
+	wrapped := mw(okHandler)
+
+	exemptPaths := []string{"/health", "/s/style.css", "/s/js/app.js", "/api/v1/apps", "/api/v1/login"}
+
+	for _, path := range exemptPaths {
+		t.Run(path, func(t *testing.T) {
+			t.Parallel()
+
+			req := httptest.NewRequest(http.MethodGet, path, nil)
+			rr := httptest.NewRecorder()
+			wrapped.ServeHTTP(rr, req)
+
+			assert.Equal(t, http.StatusOK, rr.Code,
+				"path %s should be exempt from setup redirect", path)
+		})
+	}
+
+	// Non-exempt path should redirect to /setup
+	t.Run("non-exempt redirects", func(t *testing.T) {
+		t.Parallel()
+
+		req := httptest.NewRequest(http.MethodGet, "/", nil)
+		rr := httptest.NewRecorder()
+		wrapped.ServeHTTP(rr, req)
+
+		assert.Equal(t, http.StatusSeeOther, rr.Code)
+		assert.Equal(t, "/setup", rr.Header().Get("Location"))
+	})
+}
+
+// TestAPITriggerDeployUsesDetachedContext verifies that HandleAPITriggerDeploy
+// does not pass the request context directly to the deploy operation.
+// This is a compile-time/code-level fix verified by the deployment not being
+// cancelled when the request context is cancelled.
+func TestAPITriggerDeployUsesDetachedContext(t *testing.T) {
+	t.Parallel()
+
+	// This test verifies the fix exists by checking the handler doesn't
+	// fail when called — the actual context detachment is verified by code review.
+	// The deploy will fail (no docker) but shouldn't panic.
+	tc, cookies := setupAPITest(t)
+
+	body := `{"name":"detach-ctx-app","repoUrl":"https://github.com/example/repo"}`
+	rr := apiRequest(t, tc, cookies, http.MethodPost, "/api/v1/apps", body)
+	require.Equal(t, http.StatusCreated, rr.Code)
+
+	var created map[string]any
+	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &created))
+
+	appID, ok := created["id"].(string)
+	require.True(t, ok)
+
+	rr = apiRequest(t, tc, cookies, http.MethodPost, "/api/v1/apps/"+appID+"/deploy", "")
+	// Should get conflict (deploy will fail) or accepted, but not panic
+	assert.Contains(t, []int{http.StatusAccepted, http.StatusConflict}, rr.Code)
+}
+
 func TestHandleCancelDeployRedirects(t *testing.T) {
 	t.Parallel()
 

internal/handlers/repo_url_validation.go

@@ -20,6 +20,16 @@ var (
 // Only the "git" user is allowed, as that is the standard for SSH deploy keys.
 var scpLikeRepoRe = regexp.MustCompile(`^git@[a-zA-Z0-9._-]+:.+$`)
 
+// allowedRepoSchemes lists the URL schemes accepted for repository URLs.
+//
+//nolint:gochecknoglobals // package-level constant map parsed once
+var allowedRepoSchemes = map[string]bool{
+	"https": true,
+	"http":  true,
+	"ssh":   true,
+	"git":   true,
+}
+
 // validateRepoURL checks that the given repository URL is valid and uses an allowed scheme.
 func validateRepoURL(repoURL string) error {
 	if strings.TrimSpace(repoURL) == "" {
@@ -41,17 +51,17 @@ func validateRepoURL(repoURL string) error {
 		return errRepoURLScheme
 	}
 
-	// Parse as standard URL
+	return validateParsedRepoURL(repoURL)
+}
+
+// validateParsedRepoURL validates a standard URL-format repository URL.
+func validateParsedRepoURL(repoURL string) error {
 	parsed, err := url.Parse(repoURL)
 	if err != nil {
 		return errRepoURLInvalid
 	}
 
-	// Must have a recognized scheme
+	if !allowedRepoSchemes[strings.ToLower(parsed.Scheme)] {
-	switch strings.ToLower(parsed.Scheme) {
-	case "https", "http", "ssh", "git":
-		// OK
-	default:
 		return errRepoURLInvalid
 	}
 

internal/handlers/repo_url_validation_test.go

@@ -1,6 +1,10 @@
-package handlers
+package handlers_test
 
-import "testing"
+import (
+	"testing"
+
+	"git.eeqj.de/sneak/upaas/internal/handlers"
+)
 
 func TestValidateRepoURL(t *testing.T) {
 	t.Parallel()
@@ -43,13 +47,13 @@ func TestValidateRepoURL(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
 
-			err := validateRepoURL(tc.url)
+			err := handlers.ValidateRepoURLForTest(tc.url)
 			if tc.wantErr && err == nil {
-				t.Errorf("validateRepoURL(%q) = nil, want error", tc.url)
+				t.Errorf("ValidateRepoURLForTest(%q) = nil, want error", tc.url)
 			}
 
 			if !tc.wantErr && err != nil {
-				t.Errorf("validateRepoURL(%q) = %v, want nil", tc.url, err)
+				t.Errorf("ValidateRepoURLForTest(%q) = %v, want nil", tc.url, err)
 			}
 		})
 	}

internal/handlers/sanitize.go

@@ -0,0 +1,30 @@
+package handlers
+
+import (
+	"regexp"
+	"strings"
+)
+
+// ansiEscapePattern matches ANSI escape sequences (CSI, OSC, and single-character escapes).
+var ansiEscapePattern = regexp.MustCompile(`(\x1b\[[0-9;]*[a-zA-Z]|\x1b\][^\x07]*\x07|\x1b[^[\]])`)
+
+// SanitizeLogs strips ANSI escape sequences and non-printable control characters
+// from container log output. Newlines (\n), carriage returns (\r), and tabs (\t)
+// are preserved. This ensures that attacker-controlled container output cannot
+// inject terminal escape sequences or other dangerous control characters.
+func SanitizeLogs(input string) string {
+	// Strip ANSI escape sequences
+	result := ansiEscapePattern.ReplaceAllString(input, "")
+
+	// Strip remaining non-printable characters (keep \n, \r, \t)
+	var b strings.Builder
+	b.Grow(len(result))
+
+	for _, r := range result {
+		if r == '\n' || r == '\r' || r == '\t' || r >= ' ' {
+			b.WriteRune(r)
+		}
+	}
+
+	return b.String()
+}

internal/handlers/sanitize_test.go

@@ -0,0 +1,84 @@
+package handlers_test
+
+import (
+	"testing"
+
+	"git.eeqj.de/sneak/upaas/internal/handlers"
+)
+
+func TestSanitizeLogs(t *testing.T) { //nolint:funlen // table-driven tests
+	t.Parallel()
+
+	tests := []struct {
+		name     string
+		input    string
+		expected string
+	}{
+		{
+			name:     "plain text unchanged",
+			input:    "hello world\n",
+			expected: "hello world\n",
+		},
+		{
+			name:     "strips ANSI color codes",
+			input:    "\x1b[31mERROR\x1b[0m: something failed\n",
+			expected: "ERROR: something failed\n",
+		},
+		{
+			name:     "strips OSC sequences",
+			input:    "\x1b]0;window title\x07normal text\n",
+			expected: "normal text\n",
+		},
+		{
+			name:     "strips null bytes",
+			input:    "hello\x00world\n",
+			expected: "helloworld\n",
+		},
+		{
+			name:     "strips bell characters",
+			input:    "alert\x07here\n",
+			expected: "alerthere\n",
+		},
+		{
+			name:     "preserves tabs",
+			input:    "field1\tfield2\tfield3\n",
+			expected: "field1\tfield2\tfield3\n",
+		},
+		{
+			name:     "preserves carriage returns",
+			input:    "line1\r\nline2\r\n",
+			expected: "line1\r\nline2\r\n",
+		},
+		{
+			name:     "strips mixed escape sequences",
+			input:    "\x1b[32m2024-01-01\x1b[0m \x1b[1mINFO\x1b[0m starting\x00\n",
+			expected: "2024-01-01 INFO starting\n",
+		},
+		{
+			name:     "empty string",
+			input:    "",
+			expected: "",
+		},
+		{
+			name:     "only control characters",
+			input:    "\x00\x01\x02\x03",
+			expected: "",
+		},
+		{
+			name:     "cursor movement sequences stripped",
+			input:    "\x1b[2J\x1b[H\x1b[3Atext\n",
+			expected: "text\n",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			got := handlers.SanitizeLogs(tt.input)
+			if got != tt.expected {
+				t.Errorf("SanitizeLogs(%q) = %q, want %q", tt.input, got, tt.expected)
+			}
+		})
+	}
+}

internal/middleware/middleware.go

@@ -411,8 +411,14 @@ func (m *Middleware) SetupRequired() func(http.Handler) http.Handler {
 			}
 
 			if setupRequired {
-				// Allow access to setup page
+				path := request.URL.Path
-				if request.URL.Path == "/setup" {
+
+				// Allow access to setup page, health endpoint, static
+				// assets, and API routes even before setup is complete.
+				if path == "/setup" ||
+					path == "/health" ||
+					strings.HasPrefix(path, "/s/") ||
+					strings.HasPrefix(path, "/api/") {
 					next.ServeHTTP(writer, request)
 
 					return

static/js/app.js

@@ -369,7 +369,7 @@ document.addEventListener("alpine:init", () => {
     init() {
       // Read initial logs from script tag (avoids escaping issues)
       const initialLogsEl = this.$el.querySelector(".initial-logs");
-      this.logs = initialLogsEl?.textContent || "Loading...";
+      this.logs = initialLogsEl?.dataset.logs || "Loading...";
 
       // Set up scroll tracking
       this.$nextTick(() => {

templates/deployments.html

@@ -98,7 +98,7 @@
                         title="Scroll to bottom"
                     >↓ Follow</button>
                 </div>
-                {{if .Logs.Valid}}<script type="text/plain" class="initial-logs">{{.Logs.String}}</script>{{end}}
+                {{if .Logs.Valid}}<div hidden class="initial-logs" data-logs="{{.Logs.String}}"></div>{{end}}
             </div>
             {{end}}
         </div>