add security fixes, port hardening, and expanded QA coverage
Security fixes:
- Replace debug=True with env-driven FLASK_DEBUG in app.py
- Add _safe_path helper and path-traversal protection to all 6 file routes
in file_manager.py
- Add peer_name regex and input validation (public_key, name, endpoint_ip)
in wireguard_manager.py
- Stop returning private key from GET /api/wireguard/keys; return only
public_key + has_private_key boolean
- Fix is_local_request() XFF bypass by checking remote_addr only, ignoring
X-Forwarded-For
- Remove duplicate get_all_configs / get_config_summary methods from
config_manager.py
DevOps:
- Bind 6 internal service ports to 127.0.0.1 in docker-compose.yml
(radicale, webdav, api, webui, rainloop, filegator)
- Move WebDAV credentials to env vars (WEBDAV_USER, WEBDAV_PASS)
- Pin flask, flask-cors, requests, cryptography, docker to secure minimum
versions in requirements.txt
QA (560 tests, 0 failures):
- tests/test_wireguard_endpoints.py: 18 new endpoint tests
- tests/test_file_endpoints.py: 24 new endpoint tests incl. path traversal
- tests/test_container_manager.py: expanded from 2 to 30 tests
- tests/test_config_backup_restore_http.py: 25 new tests (new file)
- tests/test_config_apply.py: 9 new tests (new file)
Docs:
- Rewrite README.md with accurate architecture, ports, env vars, security notes
- Rewrite QUICKSTART.md with verified commands
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
roof
a338836bb8