Skip to content

Fix critical command injection vulnerabilities and add Docker secrets support #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
nyldn wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Fix critical command injection vulnerabilities and add Docker secrets support #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
9a12d2e
Fix critical command injection vulnerabilities and add Docker secrets…
nyldn Feb 1, 2026
63311da
Add comprehensive cloud storage integration with Google Drive, Dropbo…
nyldn Feb 1, 2026
ac8e955
feat: Add auto-update system and AI CLI installer
nyldn Feb 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
628 changes: 628 additions & 0 deletions MACOS_CONNECTIVITY.md
View file
Open in desktop

Large diffs are not rendered by default.

13 changes: 13 additions & 0 deletions docker/.env.example
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,11 +69,17 @@ PGID=1000

# Internal zone authentication (terminal, files, webdav)
INTERNAL_AUTH=false
# SECURITY: For production, use Docker secrets instead:
# echo "admin:$(openssl rand -base64 32)" > docker/secrets/internal_credential.txt
# chmod 600 docker/secrets/internal_credential.txt
INTERNAL_CREDENTIAL=

# Webroot zone authentication (landing page, custom apps)
# If enabled without WEBROOT_CREDENTIAL, uses INTERNAL_CREDENTIAL
WEBROOT_AUTH=false
# SECURITY: For production, use Docker secrets instead:
# echo "guest:$(openssl rand -base64 32)" > docker/secrets/webroot_credential.txt
# chmod 600 docker/secrets/webroot_credential.txt
WEBROOT_CREDENTIAL=

# Backward compatibility: TTYD_CREDENTIAL maps to INTERNAL_CREDENTIAL
Expand All @@ -99,6 +105,13 @@ ENABLE_WEBDAV=false

# Claude API key (optional - you can also authenticate via browser)
# Get your key: https://console.anthropic.com/
#
# SECURITY RECOMMENDATION: Use Docker secrets for production
# Instead of setting this here, create:
# mkdir -p docker/secrets
# echo "sk-ant-api03-..." > docker/secrets/anthropic_api_key.txt
# chmod 600 docker/secrets/anthropic_api_key.txt
# Then uncomment the secrets section in docker-compose.yml
ANTHROPIC_API_KEY=

# Bypass permission prompts (DANGEROUS - Claude can execute without asking)
Expand Down
13 changes: 13 additions & 0 deletions docker/defaults/nginx/nginx.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,19 @@ http {
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

# Content Security Policy
# Note: 'unsafe-inline' needed for current PHP landing page
# Remove 'unsafe-inline' if migrating to CSP-compliant code
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; connect-src 'self' ws: wss:; frame-ancestors 'self'; base-uri 'self'; form-action 'self';" always;

# Permissions Policy (formerly Feature-Policy)
# Restrict access to browser features
add_header Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=(), usb=(), magnetometer=(), gyroscope=(), accelerometer=()" always;

# Strict-Transport-Security (only enable if using HTTPS)
# Uncomment the line below if you have TLS/SSL configured
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

# Document root for PHP/static files
root /app/data/webroot/public_html;
index index.php index.html;
Expand Down
30 changes: 30 additions & 0 deletions docker/docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,10 +21,31 @@
# All settings are controlled via .env file (see .env.example)
# Variables use ${VAR:-default} syntax for fallback values
#
# SECRETS (Recommended for Production):
# For sensitive data, use Docker secrets instead of environment variables.
# Uncomment the 'secrets:' section below and create secret files in docker/secrets/
# Example:
# mkdir -p docker/secrets
# echo "sk-ant-api03-..." > docker/secrets/anthropic_api_key.txt
# echo "admin:strongpassword" > docker/secrets/internal_credential.txt
# chmod 600 docker/secrets/*
#
# VOLUMES:
# - Primary data at /app/data (configured via CLAUDE_DATA_PATH)
# - Optional host mounts at /mounts/<name> (see volumes section)

# ─────────────────────────────────────────────────────────
# SECRETS (Optional - Recommended for Production)
# Uncomment this section to use Docker secrets
# ─────────────────────────────────────────────────────────
# secrets:
# anthropic_api_key:
# file: ./secrets/anthropic_api_key.txt
# internal_credential:
# file: ./secrets/internal_credential.txt
# webroot_credential:
# file: ./secrets/webroot_credential.txt

services:
claudepantheon:
# ─────────────────────────────────────────────────────────
Expand Down Expand Up @@ -177,3 +198,12 @@ services:
timeout: 10s # Fail if no response in 10s
retries: 3 # Unhealthy after 3 failures
start_period: 10s # Grace period on startup

# ─────────────────────────────────────────────────────────
# SECRETS (Optional)
# Uncomment to mount Docker secrets into /run/secrets/
# ─────────────────────────────────────────────────────────
# secrets:
# - anthropic_api_key
# - internal_credential
# - webroot_credential
Loading