fix(security): phase 4 code quality and low-severity fixes #29

2026-05-26T21:26:02Z

lerko commented

2026-05-26 21:26:02 +00:00

Summary

UTF-8 limitStr: Use []rune to avoid splitting multi-byte characters in monitor name truncation
Log sanitization: Strip ANSI escape sequences and newlines from log entries (prevents terminal manipulation via crafted monitor names)
URL-encode probe node_id: Use url.Values instead of string concatenation in probe assignment fetch
Follower body leak fix: Close resp.Body on all response codes, not just 200
SSH host key path: Configurable via UPTOP_SSH_HOST_KEY env var (default .ssh/id_ed25519)
HTTP method enforcement: GET-only endpoints (/api/push, /api/health, /api/probe/assignments, /metrics) return 405 for wrong methods
Named constants: Replaced magic numbers across monitor, store, and server packages
Stderr errors: All startup errors consistently go to stderr

New environment variables

Variable	Default	Description
`UPTOP_SSH_HOST_KEY`	`.ssh/id_ed25519`	Path to SSH host key file

Test plan

go build ./... passes
go test -race -timeout 120s ./... — all pass
golangci-lint run — 0 issues

Security audit status

This completes all 4 phases of the security remediation spec. 38 of 40 findings addressed:

Phase 1: 6/6 critical ✓
Phase 2: 8/8 high ✓
Phase 3: 11/12 medium ✓ (3.10 context propagation deferred)
Phase 4: 9/9 low ✓ (4.8 already optimized)

## Summary - **UTF-8 `limitStr`**: Use `[]rune` to avoid splitting multi-byte characters in monitor name truncation - **Log sanitization**: Strip ANSI escape sequences and newlines from log entries (prevents terminal manipulation via crafted monitor names) - **URL-encode probe node_id**: Use `url.Values` instead of string concatenation in probe assignment fetch - **Follower body leak fix**: Close `resp.Body` on all response codes, not just 200 - **SSH host key path**: Configurable via `UPTOP_SSH_HOST_KEY` env var (default `.ssh/id_ed25519`) - **HTTP method enforcement**: GET-only endpoints (`/api/push`, `/api/health`, `/api/probe/assignments`, `/metrics`) return 405 for wrong methods - **Named constants**: Replaced magic numbers across monitor, store, and server packages - **Stderr errors**: All startup errors consistently go to stderr ## New environment variables | Variable | Default | Description | |----------|---------|-------------| | `UPTOP_SSH_HOST_KEY` | `.ssh/id_ed25519` | Path to SSH host key file | ## Test plan - [x] `go build ./...` passes - [x] `go test -race -timeout 120s ./...` — all pass - [x] `golangci-lint run` — 0 issues ## Security audit status This completes all 4 phases of the security remediation spec. 38 of 40 findings addressed: - Phase 1: 6/6 critical ✓ - Phase 2: 8/8 high ✓ - Phase 3: 11/12 medium ✓ (3.10 context propagation deferred) - Phase 4: 9/9 low ✓ (4.8 already optimized)

lerko added 1 commit 2026-05-26 21:26:03 +00:00

fix(security): phase 4 code quality and low-severity fixes

CI / test (pull_request) Successful in 4m24s

Details

CI / lint (pull_request) Successful in 1m1s

Details

986f9f1d55

- Fix limitStr to handle multi-byte UTF-8 characters correctly
- Sanitize log messages: strip ANSI escape sequences and newlines
- URL-encode probe node_id instead of string concatenation
- Fix follower resp.Body leak on non-200 responses
- Make SSH host key path configurable via UPTOP_SSH_HOST_KEY env var
- Add HTTP method checks on GET-only endpoints (405 for wrong methods)
- Extract magic numbers into named constants across monitor/store/server
- Standardize error output to stderr for all startup errors

lerko merged commit 8ad213c96c into main

2026-05-26 21:31:40 +00:00

lerko deleted branch security/phase-4-quality

2026-05-26 21:31:40 +00:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: lerkolabs/uptop#29