Kayos
9f261e6b9e
Cobb requested all the small ones land before LAN testing.
discover.html CVE-NEW3-2 (LOW): switched recipe card image from a CSS
background-image:url('${_esc(url)}') to a plain <img class="img" src=...>
element. Recipe image_url is scraped from JSON-LD on third-party pages —
a malicious page could return an image_url crafted to close the CSS
url(...) string and inject layout-breaking CSS. With <img src=...> the
URL stays in HTML-attribute context end-to-end where _esc is sufficient.
Also adds defense-in-depth: validate URL parses as http(s) before
rendering, fall through to placeholder otherwise, and set
referrerpolicy=no-referrer so we don't leak our path to image hosts.
CSS for .dcard .img widened with object-fit:cover so img and div both
center/cover correctly.
server.py CVE-NEW3-3 (LOW): _origin_of() now lowercases scheme AND
host (urlparse only does scheme), and drops scheme-default ports
(:80/:443) so `https://x.com:443` matches `https://x.com`. Closes a
false-reject path on browsers that preserve case in Origin headers,
or non-canonical CAULDRON_BASE_URL values. Not a bypass — false-reject
robustness only — but cheap to fix and operationally important.
server.py CODE3-3 (LOW): _safe_next() now allows `%` in the path
charset so percent-encoded paths (e.g. /recipes/spaghetti%20bol)
don't silently land at /me. Defense-in-depth: also percent-decode
the path and reject if the decoded form contains `..` traversal or
`//` (encoded forms of the same patterns the front-of-function
reject already).
server.py INFO3-2: auth_callback now does session.clear() before
setting session["user"]. Capture+revalidate `next` BEFORE the clear
so we don't drop our own redirect target. Drops every pre-auth key
on login — defense-in-depth against session-state contamination if
anything else ever lands in pre-auth session.
.env.example INFO3-1: added CAULDRON_ADMIN_SUBS, CAULDRON_BASE_URL,
CAULDRON_BEHIND_TLS, CAULDRON_TRUSTED_PROXIES with comments
explaining what each one gates. Defaults are the safe-LAN set.
Holding for public deploy — Cobb running LAN tests for a few days.
INFO3-3 (rate limit) intentionally NOT addressed in code: the audit
notes this as architecturally a proxy-layer concern (rackham vhost),
not in-process. Rolled into the public-deploy commit when the vhost
work lands.
INFO3-4 (security primitive test coverage) deferred — separate test-
sweep PR, doesn't block deploy.
64 lines
2.4 KiB
Text
64 lines
2.4 KiB
Text
# Cauldron — copy to /mnt/cache/appdata/secrets/cauldron.env on Lucy
|
|
# (chmod 600, root:root). Some values are already populated by the deploy
|
|
# bootstrap (CLAWDFORGE_*); fill in the rest before first start.
|
|
|
|
# Flask
|
|
SECRET_KEY=change-me-32-bytes-of-entropy
|
|
|
|
# Bind
|
|
BIND_HOST=0.0.0.0
|
|
BIND_PORT=7790
|
|
|
|
# Mealie (recipes.sulkta.com is already wired with Authentik OIDC)
|
|
MEALIE_BASE_URL=https://recipes.sulkta.com
|
|
MEALIE_API_TOKEN=
|
|
|
|
# clawdforge (centralized claude-runner on Lucy)
|
|
CLAWDFORGE_URL=http://192.168.0.5:8800
|
|
CLAWDFORGE_TOKEN=
|
|
DEFAULT_MODEL=sonnet
|
|
DEFAULT_TIMEOUT_SECS=120
|
|
|
|
# Admin bearer for batch ops (sterilize-all, etc.) — separate from user OIDC
|
|
ADMIN_BEARER=change-me-this-is-the-cauldron-admin-batch-token
|
|
|
|
# Authentik OIDC (provisioned 2026-04-28; client_id + secret minted by Authentik)
|
|
OIDC_ISSUER=https://auth.sulkta.com/application/o/cauldron/
|
|
OIDC_CLIENT_ID=
|
|
OIDC_CLIENT_SECRET=
|
|
OIDC_REDIRECT_URI=http://192.168.0.5:7790/auth/callback
|
|
|
|
# DB (sulkta-mariadb on the sulkta bridge)
|
|
DB_HOST=sulkta-mariadb
|
|
DB_PORT=3306
|
|
DB_NAME=cauldron
|
|
DB_USER=cauldron_app
|
|
DB_PASSWORD=
|
|
|
|
# Fernet master key for at-rest encryption of per-user Mealie tokens.
|
|
# Generate with: python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"
|
|
CAULDRON_FERNET_KEY=
|
|
|
|
# --- Public-deploy hardening (added 2026-05-02 CVE audit) ---
|
|
# Comma-separated list of authentik subjects who get the operator-tier
|
|
# /me admin tools panel (consolidate, discover scrape). Empty = nobody.
|
|
# Cobb's authentik sub goes here for production.
|
|
CAULDRON_ADMIN_SUBS=
|
|
|
|
# External base URL where cauldron is reachable. Set to your public host
|
|
# (e.g. https://cauldron.sulkta.com) when going public; leave empty for
|
|
# LAN-only HTTP. When set: enables CSRF Origin guard, HSTS, secure cookie.
|
|
CAULDRON_BASE_URL=
|
|
|
|
# Whether the deploy is fronted by TLS (rackham apache → cauldron over
|
|
# OpenVPN). Independent toggle from base_url so dev/staging can override.
|
|
# When true: SESSION_COOKIE_SECURE=True, HSTS header emitted.
|
|
CAULDRON_BEHIND_TLS=false
|
|
|
|
# Comma-separated CIDR list of trusted proxies whose X-Forwarded-* we
|
|
# honor. Empty = trust nothing → ProxyFix is OFF and X-Forwarded-* are
|
|
# stripped from every request. For the rackham→OpenVPN→lucy:7790 deploy,
|
|
# set this to rackham's WireGuard-internal IP (e.g. 10.20.30.1/32). Any
|
|
# X-Forwarded-* from a peer outside this list gets dropped before
|
|
# ProxyFix sees it.
|
|
CAULDRON_TRUSTED_PROXIES=
|