Jeffrey Paul sneak

1 Followers · 0 Following

• Berlin, Deutschland
• https://sneak.berlin
• Joined on 2020-02-05

Repositories

97

Projects Packages Code Public Activity Starred Repositories

sneak closed issue sneak/upaas#112 2026-02-20 14:35:13 +01:00

CRITICAL: API v1 routes use cookie auth without CSRF protection — cross-site request forgery

sneak closed issue sneak/upaas#110 2026-02-20 14:29:15 +01:00

CRITICAL: Deployed containers have no security constraints (capabilities, seccomp, resource limits)

sneak commented on issue sneak/upaas#110 2026-02-20 14:29:15 +01:00

CRITICAL: Deployed containers have no security constraints (capabilities, seccomp, resource limits)

WONTFIX, working as intended

sneak closed issue sneak/upaas#111 2026-02-20 14:28:44 +01:00

CRITICAL: Volume mounts allow access to any host path (Docker socket, /etc/shadow, etc.)

sneak commented on issue sneak/upaas#111 2026-02-20 14:28:44 +01:00

CRITICAL: Volume mounts allow access to any host path (Docker socket, /etc/shadow, etc.)

WONTFIX, working as intended

sneak commented on issue sneak/upaas#112 2026-02-20 14:28:18 +01:00

CRITICAL: API v1 routes use cookie auth without CSRF protection — cross-site request forgery

disable the api’s write methods.

sneak closed issue sneak/upaas#113 2026-02-20 14:27:43 +01:00

CRITICAL: Port mappings bind to 0.0.0.0 with no restriction on privileged ports or conflicts

sneak commented on issue sneak/upaas#113 2026-02-20 14:27:43 +01:00

CRITICAL: Port mappings bind to 0.0.0.0 with no restriction on privileged ports or conflicts

WONTFIX

sneak commented on issue sneak/upaas#114 2026-02-20 14:27:04 +01:00

CRITICAL: API exposes webhook secret and SSH private key in app detail response

webhook secret is not private from the user. ssh private key should never leave the upaas instance. are you sure it isn’t sending the PUBLIC key?

sneak pushed to main at sneak/upaas 2026-02-20 13:47:14 +01:00

4217e62f27 Merge pull request 'fix: resolve 1.0 audit bugs (closes #104, #105, #106, #107, #108)' (#109) from fix/1.0-audit-bugs into main

327d7fb982 fix: resolve lint issues in handlers and middleware

6cfd5023f9 fix: SetupRequired middleware exempts health, static, and API routes (closes #108)

efd3500dac fix: HandleVolumeAdd validates host and container paths (closes #107)

ec87915234 fix: API delete endpoint cleans up Docker container before DB deletion (closes #106)

Compare 7 commits »

sneak closed issue sneak/upaas#108 2026-02-20 13:47:14 +01:00

BUG: SetupRequired middleware blocks /health, /s/*, and /api/* before initial setup

sneak closed issue sneak/upaas#107 2026-02-20 13:47:14 +01:00

BUG: HandleVolumeAdd missing path validation — path traversal possible on volume creation

sneak closed issue sneak/upaas#106 2026-02-20 13:47:14 +01:00

BUG: API delete endpoint does not stop/remove Docker container — orphaned containers

sneak closed issue sneak/upaas#105 2026-02-20 13:47:14 +01:00

BUG: API deploy handler uses request context — deployment cancelled on client disconnect

sneak closed issue sneak/upaas#104 2026-02-20 13:47:12 +01:00

BUG: HandleEnvVarDelete uses wrong route parameter name — env var deletion always 404s

sneak merged pull request sneak/upaas#109 2026-02-20 13:47:12 +01:00

fix: resolve 1.0 audit bugs (closes #104, #105, #106, #107, #108)

sneak closed issue sneak/upaas#103 2026-02-20 12:22:09 +01:00

Add branch protection to main branch

sneak commented on issue sneak/upaas#103 2026-02-20 12:22:09 +01:00

Add branch protection to main branch

done

sneak merged pull request sneak/upaas#100 2026-02-20 12:19:30 +01:00

ci: add Gitea Actions workflow for make check (closes #96)

sneak closed issue sneak/upaas#96 2026-02-20 12:19:30 +01:00

needs actions for code standard checks