lerkolabs/uptop
1
1
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases 2 Wiki Activity

fix(security): strip push tokens from /status/json response

Browse Source 
The public status JSON endpoint was serializing full Site structs
including heartbeat tokens. An attacker could extract tokens and
forge heartbeats to suppress DOWN alerts. Now tokens are stripped
before encoding. Backup/export endpoint is unaffected.
This commit is contained in:
Tyler Koenig
2026-05-16 15:45:09 -04:00
parent fa1042a2ec
commit 025b1b61d0
1 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/server/server.go
+6 -1
View File
@@ -358,8 +358,13 @@ func Start(cfg ServerConfig, s store.Store, eng *monitor.Engine) {
if cfg.EnableStatus { if cfg.EnableStatus {
mux.HandleFunc("/status", func(w http.ResponseWriter, r *http.Request) { renderStatusPage(w, cfg.Title, eng) }) mux.HandleFunc("/status", func(w http.ResponseWriter, r *http.Request) { renderStatusPage(w, cfg.Title, eng) })
mux.HandleFunc("/status/json", func(w http.ResponseWriter, r *http.Request) { mux.HandleFunc("/status/json", func(w http.ResponseWriter, r *http.Request) {
state := eng.GetLiveState()
for id, site := range state {
site.Token = ""
state[id] = site
}
w.Header().Set("Content-Type", "application/json") w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(eng.GetLiveState()) json.NewEncoder(w).Encode(state)
}) })
} }