github fabriziosalmi/proxmox-lxc-autoscale v1.1.0
v1.1.0 — Security Hardening
on GitHub

12 hours ago

Security Fixes

This release addresses critical security vulnerabilities reported in #27:

Command Injection Hardening

  • All container IDs validated with ^[0-9]+$ regex before any subprocess/pct call
  • Validation added in scaling_manager.py, config.py tier loading, and scale_out()
  • Hostnames sanitized per RFC-1123 in generate_cloned_hostname()

Secrets Management

  • 4 environment variable overrides for secrets:
    • LXC_AUTOSCALE_SSH_PASSWORD
    • LXC_AUTOSCALE_SMTP_PASSWORD
    • LXC_AUTOSCALE_GOTIFY_TOKEN
    • LXC_AUTOSCALE_UPTIME_KUMA_WEBHOOK
  • Startup warning if config file is group/other readable (recommend chmod 0600)

Per-Container Locking

  • Replaced single global Lock() with per-container locks
  • Dedicated _log_lock for the JSON event log
  • Concurrent threads for different containers no longer block each other

Additional Hardening

  • run_local_command() now always uses shell=False (string cmds split via shlex.split())
  • Web UI binds to 127.0.0.1 by default (was 0.0.0.0), debug=False
  • Web UI host/port/debug configurable via env vars

Testing

  • 12 unit tests added covering all security fixes

Full Changelog: v1.0.0...v1.1.0

Check out latest releases or
releases around fabriziosalmi/proxmox-lxc-autoscale v1.1.0

Don't miss a new proxmox-lxc-autoscale release

NewReleases is sending notifications on new releases.

Get notifications