Pulse/internal/api
rcourtman 71abcb2a37 fix: harden SSH config endpoint per Codex security review
Addressed security concerns identified by Codex code review:

1. **Memory exhaustion protection**
   - Added http.MaxBytesReader with 32KB limit
   - Prevents malicious large POST from killing server

2. **Dangerous directive blocking**
   - Reject ProxyCommand, LocalCommand, RemoteCommand
   - Prevents command injection via SSH config

3. **Improved error handling**
   - Check all error returns properly
   - Return 5xx on failures
   - Log file size and path for debugging

4. **Scoped SSH config (critical fix)**
   - Changed from `Host *` to specific cluster nodes
   - Prevents overriding ALL SSH connections
   - Only affects Proxmox nodes for temperature monitoring
   - Preserves other SSH functionality (git, etc.)

Before: Host * broke all SSH connections from Pulse
After: Only Proxmox cluster nodes use ProxyJump

Credit: Codex code review identified these issues
2025-10-18 23:21:59 +00:00
..
alerts.go Ref #556: adjust alert history range handling 2025-10-15 18:41:06 +00:00
alerts_test.go Allow printable alert IDs for acknowledgements (#550) 2025-10-14 16:48:22 +00:00
auth.go feat: enhance sensor proxy with improved cluster discovery and SSH management 2025-10-17 11:43:26 +00:00
config_handlers.go fix: harden SSH config endpoint per Codex security review 2025-10-18 23:21:59 +00:00
csrf_store.go Fix settings security tab navigation 2025-10-11 23:29:47 +00:00
demo_middleware.go Fix settings security tab navigation 2025-10-11 23:29:47 +00:00
diagnostics.go feat: enhance sensor proxy with improved cluster discovery and SSH management 2025-10-17 11:43:26 +00:00
DO_NOT_EDIT_FRONTEND_HERE.md Fix settings security tab navigation 2025-10-11 23:29:47 +00:00
docker_agents.go feat: add docker agent command handling 2025-10-15 19:27:19 +00:00
frontend_embed.go Fix settings security tab navigation 2025-10-11 23:29:47 +00:00
guest_metadata.go Fix settings security tab navigation 2025-10-11 23:29:47 +00:00
middleware.go Fix settings security tab navigation 2025-10-11 23:29:47 +00:00
notifications.go Add Apprise notification integration (#570) 2025-10-18 16:39:39 +00:00
oidc_handlers.go Fix settings security tab navigation 2025-10-11 23:29:47 +00:00
oidc_service.go Fix settings security tab navigation 2025-10-11 23:29:47 +00:00
rate_limit_config.go Fix settings security tab navigation 2025-10-11 23:29:47 +00:00
ratelimit.go Fix settings security tab navigation 2025-10-11 23:29:47 +00:00
README.md Fix settings security tab navigation 2025-10-11 23:29:47 +00:00
recovery_tokens.go Fix settings security tab navigation 2025-10-11 23:29:47 +00:00
router.go feat: automatic ProxyJump for turnkey temperature monitoring 2025-10-18 23:17:38 +00:00
router_integration_test.go fix: normalize version strings with build metadata in tests 2025-10-16 09:07:40 +00:00
security.go Fix settings security tab navigation 2025-10-11 23:29:47 +00:00
security_oidc.go Fix settings security tab navigation 2025-10-11 23:29:47 +00:00
security_setup_fix.go feat: streamline docker agent onboarding 2025-10-14 09:45:32 +00:00
security_tokens.go feat: add docker agent command handling 2025-10-15 19:27:19 +00:00
session_store.go Fix settings security tab navigation 2025-10-11 23:29:47 +00:00
settings.go Fix settings security tab navigation 2025-10-11 23:29:47 +00:00
system_settings.go fix: harden SSH config endpoint per Codex security review 2025-10-18 23:21:59 +00:00
types.go Adjust backup and snapshot alert handling 2025-10-18 20:11:01 +00:00
updates.go Fix settings security tab navigation 2025-10-11 23:29:47 +00:00

Internal API Package

This directory contains the API server implementation for Pulse.

Important Note About frontend-modern/

The frontend-modern/ subdirectory that appears here is:

  • AUTO-GENERATED during builds
  • NOT the source code - just a build artifact
  • IN .gitignore - never committed
  • REQUIRED BY GO - The embed directive needs it here

Frontend Development Location

👉 Edit frontend files at: /opt/pulse/frontend-modern/src/

Why This Structure?

Go's //go:embed directive has limitations:

  1. Cannot use ../ paths to access parent directories
  2. Cannot follow symbolic links
  3. Must embed files within the Go module

This is a known Go limitation and our structure works around it.