lerkolabs/uptop
1
1
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

fix(security): phase 1 critical fixes for public release #26

Merged
lerko merged 1 commits from security/phase-1-critical into main 2026-05-26 00:43:52 +00:00
Conversation 0 Commits 1 Files Changed 15
+650 -99
lerko commented 2026-05-25 15:37:17 +00:00
Owner
Copy Link
Copy Source

Summary

  • DSN redaction: PostgreSQL connection strings no longer leak passwords to stdout/logs
  • Hardened .dockerignore: Excludes .ssh/, .claude/, *.db, *.local.* from Docker build context
  • SSRF protection: Blocks private/loopback/link-local IP targets by default via safe dialer on all HTTP clients and pre-check on ping/port monitors. Set UPTOP_ALLOW_PRIVATE_TARGETS=true for homelab use.
  • Email header injection fix: Strips CRLF from email headers, adds proper From: and MIME headers
  • Alert credential encryption: AES-256-GCM encryption for alerts.settings column via UPTOP_ENCRYPTION_KEY env var. Includes uptop migrate-secrets subcommand for existing installs. Falls back to plaintext with warning when unset.
  • TLS support: UPTOP_TLS_CERT / UPTOP_TLS_KEY env vars enable HTTPS with HSTS header. Warns when cluster mode is active without TLS.

New environment variables

Variable Default Description
UPTOP_ALLOW_PRIVATE_TARGETS false Allow monitoring private/internal IPs
UPTOP_ENCRYPTION_KEY (unset) 32-byte hex-encoded AES key for alert credential encryption
UPTOP_TLS_CERT (unset) Path to TLS certificate file
UPTOP_TLS_KEY (unset) Path to TLS private key file

Test plan

  • go build ./... passes
  • go test -race -timeout 120s ./... — all pass
  • golangci-lint run — 0 issues
  • Manual: confirmed private IP blocking works and UPTOP_ALLOW_PRIVATE_TARGETS=true restores homelab functionality
  • Manual: test migrate-secrets subcommand on existing database
  • Manual: test TLS with self-signed cert
## Summary - **DSN redaction**: PostgreSQL connection strings no longer leak passwords to stdout/logs - **Hardened .dockerignore**: Excludes `.ssh/`, `.claude/`, `*.db`, `*.local.*` from Docker build context - **SSRF protection**: Blocks private/loopback/link-local IP targets by default via safe dialer on all HTTP clients and pre-check on ping/port monitors. Set `UPTOP_ALLOW_PRIVATE_TARGETS=true` for homelab use. - **Email header injection fix**: Strips CRLF from email headers, adds proper `From:` and MIME headers - **Alert credential encryption**: AES-256-GCM encryption for `alerts.settings` column via `UPTOP_ENCRYPTION_KEY` env var. Includes `uptop migrate-secrets` subcommand for existing installs. Falls back to plaintext with warning when unset. - **TLS support**: `UPTOP_TLS_CERT` / `UPTOP_TLS_KEY` env vars enable HTTPS with HSTS header. Warns when cluster mode is active without TLS. ## New environment variables | Variable | Default | Description | |----------|---------|-------------| | `UPTOP_ALLOW_PRIVATE_TARGETS` | `false` | Allow monitoring private/internal IPs | | `UPTOP_ENCRYPTION_KEY` | _(unset)_ | 32-byte hex-encoded AES key for alert credential encryption | | `UPTOP_TLS_CERT` | _(unset)_ | Path to TLS certificate file | | `UPTOP_TLS_KEY` | _(unset)_ | Path to TLS private key file | ## Test plan - [x] `go build ./...` passes - [x] `go test -race -timeout 120s ./...` — all pass - [x] `golangci-lint run` — 0 issues - [x] Manual: confirmed private IP blocking works and `UPTOP_ALLOW_PRIVATE_TARGETS=true` restores homelab functionality - [ ] Manual: test `migrate-secrets` subcommand on existing database - [ ] Manual: test TLS with self-signed cert
lerko added 1 commit 2026-05-25 15:37:17 +00:00
fix(security): phase 1 critical fixes for public release
CI / test (pull_request) Successful in 4m40s
Details
CI / lint (pull_request) Successful in 1m2s
Details
60b30935b3 
- Redact PostgreSQL DSN password from stdout/logs
- Harden .dockerignore to exclude .ssh/, .claude/, *.db, *.local files
- SSRF protection: block private/loopback/link-local IPs by default
  (UPTOP_ALLOW_PRIVATE_TARGETS=true to override for homelab use)
- Fix email header injection via CRLF in monitor names
- AES-256-GCM encryption for alert credentials at rest
  (UPTOP_ENCRYPTION_KEY env var, migrate-secrets subcommand)
- TLS support for HTTP server (UPTOP_TLS_CERT/UPTOP_TLS_KEY)
  with HSTS header when TLS enabled
lerko merged commit b43dfae98f into main 2026-05-26 00:43:52 +00:00
lerko deleted branch security/phase-1-critical 2026-05-26 00:43:52 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
lerko (Tyler Koenig)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: lerkolabs/uptop#26
Delete Branch "security/phase-1-critical"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?