Skip to content

fix(security): resolve dependency vulns and fix container exec tenant isolation#54

Merged
dviejokfs merged 8 commits intomainfrom
fix/security-vulnerabilities
Apr 1, 2026
Merged

fix(security): resolve dependency vulns and fix container exec tenant isolation#54
dviejokfs merged 8 commits intomainfrom
fix/security-vulnerabilities

Conversation

@dviejokfs
Copy link
Copy Markdown
Contributor

@dviejokfs dviejokfs commented Apr 1, 2026

Summary

  • Dependency updates (Rust): Bumps tar to 0.4.45, aws-lc-sys to 0.39.1, rustls-webpki to 0.103.10, rkyv to 0.7.46, and rustls to 0.23.37 — resolving 6 CVEs (1 high, 4 medium, 1 low)
  • Container exec tenant isolation (HIGH): exec_command and container_terminal handlers now validate that the container belongs to the specified project/environment before allowing exec, preventing cross-tenant container access
  • Path traversal protection (MEDIUM): FilesystemStorage::resolve_path now rejects storage keys containing .. components

Vulnerability Resolution

Crate CVE/Advisory Severity Fix
aws-lc-sys RUSTSEC-2026-0044, RUSTSEC-2026-0048 HIGH 0.38.0 → 0.39.1
rustls-webpki RUSTSEC-2026-0049 MEDIUM 0.103.7 → 0.103.10
tar RUSTSEC-2026-0067, RUSTSEC-2026-0068 MEDIUM 0.4.44 → 0.4.45
rkyv RUSTSEC-2026-0001 MEDIUM 0.7.45 → 0.7.46
container_exec Broken access control HIGH Added project/env ownership check
FilesystemStorage Path traversal MEDIUM Added .. rejection in resolve_path

Test plan

  • cargo check --lib passes
  • cargo test --lib -p temps-log-aggregator — 98 tests pass
  • All pre-commit hooks pass (fmt, clippy, conventional commit)
  • Manual test: container exec rejects container_id from different project
  • Manual test: terminal WebSocket rejects container_id from different project

dviejokfs added 8 commits April 1, 2026 08:35
@dviejokfs
fix(security): resolve dependency vulns and fix container exec tenant…
07d584a 
… isolation

Dependency updates:
- Bump tar 0.4 → 0.4.45 (RUSTSEC-2026-0067, RUSTSEC-2026-0068: symlink follow + PAX header)
- Update aws-lc-rs → 1.16.2 / aws-lc-sys → 0.39.1 (RUSTSEC-2026-0044: X.509 bypass)
- Update rustls-webpki → 0.103.10 (RUSTSEC-2026-0049: CRL matching)
- Update rkyv → 0.7.46 (RUSTSEC-2026-0001: undefined behavior on OOM)
- Update rustls → 0.23.37

Code fixes:
- container_exec: validate container belongs to project/environment before exec,
  preventing cross-tenant container access (HIGH severity)
- FilesystemStorage: add path traversal protection to resolve_path(),
  rejecting keys with ".." components (MEDIUM severity)

Remaining unfixable vulns documented in Cargo.toml comments.
@dviejokfs
docs(changelog): add security fixes to unreleased section
3df799a
@dviejokfs
fix(email): make RequestMetadata optional in tracking handlers
4506e1b 
The track_open and track_click handlers are public routes (no auth)
mounted via configure_public_routes(), which doesn't have the
middleware that injects RequestMetadata. This caused a 500 error:
"Missing request extension: RequestMetadata was not found".

Fix: accept RequestMetadata as Option<Extension<RequestMetadata>>
and fall back to extracting IP/UA from headers directly.
@dviejokfs
feat(email): store tracked HTML separately from original
c770546 
Add tracked_html_body column to emails table to store the final HTML
sent to the provider (with tracking pixel + rewritten links), separate
from the original html_body. This lets the dashboard show the tracked
version without triggering a fake open event from the preview pixel.

- Migration: add nullable tracked_html_body text column
- Entity: add tracked_html_body field
- EmailService: store tracked_html in new column during send
- API: expose tracked_html_body in email list/detail responses
@dviejokfs
fix(email): add missing link_url and link_index columns to email_events
c9bc8b3 
The email_events table may have been created before link_url and
link_index columns were added to the CREATE TABLE statement. This
migration adds them with IF NOT EXISTS to fix tracking failures:
"column link_url does not exist".
@dviejokfs
feat(email): show per-link click breakdown in email detail UI
5073767 
Add a "Link Clicks" section to the tracking card that fetches
/emails/{id}/tracking/links and shows each tracked link with its
click count badge. Links with clicks get a default badge, unclicked
links get a secondary badge.
@dviejokfs
docs(changelog): add email tracking fixes and features to unreleased
bbc402c
@dviejokfs
fix(email): use external_url from config for tracking URLs
3cc9aa6 
The tracking service was using a hardcoded TEMPS_BASE_URL env var
(defaulting to localhost:3000), which meant tracking pixels and click
links in emails pointed to localhost — unreachable from Gmail's image
proxy or any external email client.

Now uses ConfigService.get_external_url_or_default() to dynamically
resolve the external URL from the database settings, matching how
other subsystems (error tracking, deployments) already work.
@dviejokfs dviejokfs merged commit 142f77d into main Apr 1, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dviejokfs