deblan-mirror/sftpgo
1
0
Fork 0
mirror of https://github.com/drakkan/sftpgo.git synced 2026-03-14 14:25:52 +01:00
Code Issues Projects Releases Packages Wiki Activity
2,332 commits 9 branches 54 tags 41 MiB
Commit graph

322 commits

Author SHA1 Message Date
Nicola Murino
2f092d1289
 		fix: prevent path traversal via edge-level path normalization 
Moved path sanitization (backslash conversion and path cleaning) to
the SFTP/FTP handlers before VFS routing and permission checks.

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2026-03-07 12:03:59 +01:00
Nicola Murino
4c00f6061c
 		reply to stat calls also for ongoing transfers on atomic storage backends 
the check is performed only on the connection where the transfer is
initiated so it is inexpensive

Fixes #2162

Co-authored-by: Joel Studler <joel.studler@swisscom.com>
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2026-02-16 17:54:10 +01:00
Nicola Murino
e44ff487e5
 		httpd: add base URL configuration 
Allow overriding the browser URL when generating share links.

Fixes #1858

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2026-01-23 19:38:02 +01:00
Nicola Murino
3d549ce702
 		squash database migrations 
also added shares_groups_mapping table, currently not used in the
open-source version

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2025-12-24 11:08:44 +01:00
Nicola Murino
babdee5be1
 		update deps 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2025-12-20 17:58:57 +01:00
Nicola Murino
a1e45277dd
 		fix TestMemoryOIDCManager test case 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2025-12-20 17:19:53 +01:00
Nicola Murino
130fc8e0a2
 		OIDC/OAuth2: increase auth state validity to 2 minutes 
Updates #2091

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2025-12-20 16:58:46 +01:00
Nicola Murino
0add546be3
 		user: fix group validation 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2025-12-17 20:01:16 +01:00
Nicola Murino
21639b963c
 		OAuth2: add PKCE 
Fixes #2134

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2025-12-11 08:44:38 +01:00
Nicola Murino
ac3e59562d
 		Enforce missing naming rule for actions and rules 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2025-12-07 10:35:13 +01:00
Nicola Murino
8c85a722a2
 		apply naming rules for related groups, roles and folders 
also enforce stricter validation rules for usernames/names

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2025-12-06 22:08:22 +01:00
Nicola Murino
5ce9688780
 		enforce group-level password strength for users and shares 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2025-10-26 09:44:32 +01:00
Nicola Murino
a768dac29d
 		jwt: increase leeway and add some tests 
also export a constant for the Cookie name

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2025-10-11 14:14:21 +02:00
Nicola Murino
0ae2354fed
 		JWT: replace jwtauth/jwx with lightweight wrapper around go-jose 
We replaced the jwtauth and jwx libraries with a minimal custom wrapper
around go-jose because we don’t need the full feature set provided by jwx.
Implementing our own wrapper simplifies the codebase and improves
maintainability.

Moreover, go-jose depends only on the standard library, resulting in a
leaner dependency that still meets all our requirements.

This change also reduces the SFTPGo binary size by approximately 1MB

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2025-10-08 18:10:39 +02:00
Nicola Murino
a5dd529d88
 		node token: embed permissions directly in JWT 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2025-08-22 15:57:41 +02:00
Nicola Murino
a2d3613250
 		dataprovider: preserve initial sort order for related resources 
Folders and groups now retain their initial order, improving compatibility
and predictability when used with Terraform

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2025-08-19 16:11:53 +02:00
Nicola Murino
75ad6346c3
 		removed some unused constants 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2025-08-02 19:00:15 +02:00
Nicola Murino
ddbe40cefa
 		HTTPD, WebDAV: use http.ResponseController 
backport from Enterprise edition

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2025-08-02 18:00:45 +02:00
Nicola Murino
0bac81816c
 		WebClient: add an id field to files list to simplify UI logic 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2025-07-22 18:59:20 +02:00
Nicola Murino
c2835bc19d
 		Enable setting password change requirements in user templates 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2025-07-17 19:35:17 +02:00
Nicola Murino
7317674b41
 		Remove legacy data retention API 
Data retention is now managed via the EventManager, introduced in v2.4.0.
This allows scheduling retention checks and sending email or HTTP notifications,
making the old API redundant.

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2025-07-12 22:20:54 +02:00
Nicola Murino
b6873768b2
 		replace strings.Split with SplitSeq 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2025-05-31 19:03:41 +02:00
Nicola Murino
3f7533b86a
 		update deps ... 
... and adapt the code to the new constants I added to
golang.org/x/crypto/ssh

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2025-05-19 19:42:36 +02:00
Nicola Murino
9e2230cc33
 		Support leading and trailing spaces in user passwords 
This improves compatibility with external authentication providers that
allow such characters in passwords.

Passwords created via the WebAdmin UI are still sanitized to prevent user
confusion.

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2025-04-26 14:31:13 +02:00
Nicola Murino
11d8fffd1b
 		remove obsoletes build constraints 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2025-04-20 17:15:40 +02:00
Nicola Murino
0da8adb7ac
 		EventManager: breaking change for placeholder names 
Placeholder names must now be in the format:

{{.VirtualPath}}

instead of:

{{.VirtualPath}}

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2025-04-14 09:11:44 +02:00
Nicola Murino
aea036715c
 		OIDC: ensure token username adheres to naming conventions 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2025-04-08 18:25:16 +02:00
Nicola Murino
f41f00fec2
 		httpd: allow to configure referrer policy header 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2025-04-07 18:48:48 +02:00
Nicola Murino
d95d773570
 		oidc: allow login if the password method is disabled 
isLoggedInWithOIDC returns false before login so we need to add
a specific check

Fixes #1879

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2025-03-29 20:28:49 +01:00
Nicola Murino
2255c5f000
 		upgrade golangci-lint to v2 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2025-03-29 11:36:19 +01:00
Nicola Murino
e590deebe0
 		db shared sessions: set key and type as primary key 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2025-03-23 11:34:10 +01:00
Nicola Murino
f096675a2b
 		fix log formatting 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2025-03-12 11:19:38 +01:00
Nicola Murino
002e819e54
 		defender: don't penalize redirects to the login page 
This is normal behavior

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2025-02-23 16:56:47 +01:00
Nicola Murino
38a6b5632a
 		share login page: add CheckRedirect field 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2025-02-22 22:28:53 +01:00
Nicola Murino
5a01ce66f1
 		WebUIs: fix translations for some page titles 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2025-02-18 18:25:52 +01:00
Nicola Murino
69ef36b4d9
 		httpd: add a setting to disable login methods, deprecate the previous one 
the previous enabled login methods setting is hard to extend in
a backward compatible way

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2025-01-25 22:00:55 +01:00
Nicola Murino
70f8b4d495
 		WebAdmin: allow to create admins with an unusable password 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2025-01-25 18:53:54 +01:00
Nicola Murino
48258f6e67
 		httpd: add cross origin resource and embedder policy headers 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2025-01-24 19:34:57 +01:00
Nicola Murino
61aef41bee
 		WebClient: make the keep alive interval configurable 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2025-01-22 19:41:31 +01:00
Nicola Murino
04fa242f57
 		azblobfs: add support for Azure Identity 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2025-01-13 20:58:17 +01:00
Nicola Murino
da68cf3e9d
 		events search: remove trailing and leading space from received parameters 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2025-01-11 11:42:57 +01:00
Nicola Murino
5febcdca43
 		httpd: log csrf token duration 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2025-01-11 11:29:35 +01:00
Nicola Murino
1f4cb7077a
 		bad host handler: return a generic error message 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2025-01-06 10:08:25 +01:00
Nicola Murino
ff13be4616
 		zip creation: avoid stat if not strictly required 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2025-01-03 11:43:09 +01:00
Nicola Murino
deea9ff038
 		do not return if client IP is not allowed in login API response 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2024-12-28 18:47:04 +01:00
Nicola Murino
843b8c38d3
 		SSH: add a test case for DSA keys 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2024-12-19 19:55:25 +01:00
Nicola Murino
70fc00d7eb
 		Allow to choose enabled languages 
Fixes #1835

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2024-12-19 19:50:19 +01:00
Nicola Murino
b0061f570e
 		WebClient: refactor preserving share password 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2024-12-18 19:54:39 +01:00
Nicola Murino
ec90b61bb4
 		allow to configure JWT tokens and cookies duration 
Fixes #1839

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2024-12-18 18:33:37 +01:00
Nicola Murino
e21c989038
 		logs: add a specific log structure for successful logins 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
 2024-12-07 10:29:33 +01:00