From 570978594255ade6328083c3e2f1d1ef5c4f3c99 Mon Sep 17 00:00:00 2001 From: Lukas Date: Sun, 26 Apr 2026 14:28:30 +0200 Subject: [PATCH] Remove completed TASK-020 from tasks list Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- Docs/Tasks.md | 32 -------------------------------- 1 file changed, 32 deletions(-) diff --git a/Docs/Tasks.md b/Docs/Tasks.md index ec0146c..ca5d3ad 100644 --- a/Docs/Tasks.md +++ b/Docs/Tasks.md @@ -1,35 +1,3 @@ -## TASK-020 — `log_target` accepts arbitrary paths — root file write via fail2ban (CRITICAL) - -**Severity:** Critical - -### Where found -`backend/app/models/config.py` — `GlobalConfigUpdate.log_target: str | None`. `backend/app/services/config_service.py` — `update_global_config()` forwards the value to fail2ban without validation. - -### Why this is needed -fail2ban runs as root. When `log_target` is set to a path, fail2ban opens (and if necessary creates) that file for writing. An authenticated user can send `PUT /api/config/global` with `{"log_target": "/etc/cron.d/bangui-pwned"}`, causing fail2ban to create that file as root. With crafted content appended via fail2ban's own logging, this escalates to a root write primitive and potentially to Remote Code Execution. - -### Goal -Block all `log_target` values that are not `"STDOUT"`, `"STDERR"`, `"SYSLOG"`, or a path under the configured allowed log directories. - -### What to do -1. **Immediate:** Add a strict `@field_validator("log_target")` to `GlobalConfigUpdate` that enforces the allowlist (see TASK-015 — this task and TASK-015 share the same fix). -2. **Defense in depth:** Before sending the command to fail2ban in `update_global_config()`, validate again at the service layer (not just the model layer). -3. Add a regression test: `POST /api/config/global` with `log_target="/etc/passwd"` must return 422. - -### Possible traps and issues -- This must be fixed before TASK-015 since it is the more severe variant. The fixes are identical — implement them together. -- Pydantic model validators run before the service receives the value, but an integration test confirming the full request path is essential. - -### Docs changes needed -- `Features.md` — document valid log_target values. -- `Backend-Development.md` — critical input validation requirement for config endpoints. - -### Doc references -- [Features.md](Features.md) — fail2ban global configuration -- [Backend-Development.md](Backend-Development.md) — input validation - ---- - ## TASK-021 — `set_jail_config_enabled` and `write_jail_config_file` not atomic **Severity:** Medium