vadimsobinin/sleep-guard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(proxy): harden security and add UpSnap debug logging

Browse Source 
- XSS: escape serviceName in waking page HTML
- Session TTL: 24h expiration with periodic cleanup
- Rate limit: 5 login attempts / 15 min per IP
- CORS: restrict to same-origin + localhost
- SSRF: block localhost/metadata in service targets
- UpSnap: log response bodies on auth/wake failures

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Vadim Sobinin
2026-03-15 00:57:38 +03:00
parent f38c944690
commit 719afa8533
8 changed files with 143 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
packages/proxy/src/server/wakingPage.ts
View File

@@ -1,10 +1,15 @@
function escapeHtml(s: string): string {
return s.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;');
}
export function getWakingPageHtml(serviceName: string): string {
const safe = escapeHtml(serviceName);
return `<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Waking up — ${serviceName}</title>
<title>Waking up — ${safe}</title>
<style>
* { margin: 0; padding: 0; box-sizing: border-box; }
body {
@@ -38,7 +43,7 @@ export function getWakingPageHtml(serviceName: string): string {
<body>
<div class="container">
<div class="spinner" id="spinner"></div>
<h1>Waking up ${serviceName}...</h1>
<h1>Waking up ${safe}...</h1>
<p>The server is starting. This page will reload automatically.</p>
<p class="status" id="status">Waiting for response...</p>
</div>