github PegaProx/project-pegaprox v0.9.12.1
v0.9.12.1 — PBS host-validator hotfix
on GitHub

4 hours ago

Hotfix

Same-day hotfix for v0.9.12.0. The Aikido SSRF-hardening that landed via PR #475 in v0.9.12.0 shipped pegaprox/core/pbs.py:_validate_pbs_host with a placeholder allowlist allowed_domains = ['example.com']. Net effect: at boot every customer-configured PBS was rejected with [PBS] Skipping PBS server XXX: Invalid or disallowed host, and the connect / test endpoints returned 400 Invalid PBS host for any input that didn't end in example.com.

Reported by @jostrasser in #514. Anyone who already upgraded to v0.9.12.0 needs this.

🩹 Fix

Allowlist removed. PBS hosts are per-customer config (pbs.internal, 10.x.x.x, pbs01.lab.local, …) — no operator-side FQDN allowlist can know them ahead of time. The format regex (^[a-zA-Z0-9.\-:]+$) is the actual SSRF defence here: it refuses scheme prefixes, paths, quoting, shell metas, whitespace — so a malicious host value can't redirect requests off-host.

13/13 smoke cases:

  • Accepted: pbs.example.com, pbs.internal, 10.0.1.5, 192.168.100.50, fe80::1, pbs-01.lab.local
  • Rejected: empty / None, http://x, x/path, a;rm -rf /, whitespace, host with space

🔍 Codebase sweep

Hunted for the same anti-pattern elsewhere — none found:

  • pegaprox/api/vms.py _validate_host — pure format regex, no allowlist ✓
  • pegaprox/utils/sanitization.py validate_hostname — pure format regex ✓
  • pegaprox/api/.ssh_ws_server.py allowed_hosts — built dynamically per-request from cluster_host + node_ips
  • pegaprox/utils/url_security.py scheme-allowlist — sensible defaults (https), not a placeholder ✓

Other Aikido-autofix PRs that landed in v0.9.12 (#460-#483) were RBAC checks, CSV-formula-injection, heredoc-terminator-injection, urllib3 bumps — none shipped a placeholder allowlist of this shape.

💎 Platinum Sponsors

Massive thanks 🙌. Sponsor PegaProx → opencollective.com/pegaprox | pegaprox.com/#sponsor

Upgrade: in-app updater, bash update.sh, or docker compose pull && docker compose up -d.
Docker: ghcr.io/pegaprox/pegaprox:v0.9.12.1 (linux/amd64 + linux/arm64).

If you have an existing v0.9.12.0 install with PBS configured and don't want to wait for the update: edit pegaprox/core/pbs.py and replace allowed_domains = ['example.com'] with your real PBS-host domain — but updating is the better path.

Check out latest releases or
releases around PegaProx/project-pegaprox v0.9.12.1

Don't miss a new project-pegaprox release

NewReleases is sending notifications on new releases.

Get notifications