Command Injection Risk (task.go:74) ✅ FIXED

• Task commands are inserted directly into bash script without proper escaping
• Even though only predefined tasks can be executed, malicious config could inject commands
• Fix: Commands are now properly escaped using escapeBashCommand()
• Status: Fixed

WebSocket CORS (websocket.go:24) ✅ FIXED

• CheckOrigin allows all origins (return true)
• Allows cross-origin WebSocket connections from any domain
• Fix: Added configurable allowed_origins in config (empty = allow all for internal networks)
• Status: Fixed (configurable)

JWT Token in URL ⚠️ ACCEPTABLE FOR INTERNAL USE

• Tokens passed in query parameters are visible in:
  • Browser history
  • Server logs
  • Referrer headers
• Status: Acceptable for internal networks, consider Authorization header for production

No Rate Limiting ✅ FIXED

• No protection against brute force attacks
• No protection against DoS
• Fix: Added IP-based rate limiting with configurable requests per minute
• Status: Fixed

Unbounded JSON Decoding (api.go:44) ✅ FIXED

• JSON decoder has no size limit
• Vulnerable to memory exhaustion attacks
• Fix: Added decodeJSONRequest() with 1MB limit
• Status: Fixed

Information Disclosure ⚠️ ACCEPTABLE FOR INTERNAL USE

• Error messages may leak internal information
• Stack traces in error responses
• Status: Acceptable for internal networks, sanitize for production

File Permissions (task.go:81) ✅ FIXED

• Scripts created with 0755 (executable by all)
• Should be more restrictive (0700)
• Fix: Changed to 0700 (owner only)
• Status: Fixed

No Input Validation ✅ FIXED

• Task names not validated (length, characters)
• Task IDs should be validated as UUIDs
• Fix: Added validateTaskName() and validateTaskID()
• Status: Fixed

No HTTPS Enforcement ✅ FIXED

• Application doesn't enforce HTTPS
• Tokens transmitted in plain text over HTTP
• Fix: Added optional TLS support via config (tls_key_file, tls_cert_file)
• Status: Fixed (optional, configurable)

No Request Size Limits ✅ FIXED

• HTTP request body size not limited
• Fix: Added configurable max_request_size (default 10MB)
• Status: Fixed

Command Injection Protection

• Commands are now escaped using escapeBashCommand()
• Prevents injection even if config is compromised

Input Validation

• Task names validated: alphanumeric, underscore, hyphen only
• Task names limited to 100 characters
• Task IDs validated as UUIDs

JSON Request Size Limit

• Maximum 1MB per JSON request
• Prevents memory exhaustion attacks

File Permissions

• Scripts: 0700 (owner only)
• Directories: 0700 (owner only)

WebSocket CORS

• Configurable allowed origins
• Empty list = allow all (for internal networks)

Rate Limiting

• IP-based token bucket rate limiter
• Configurable requests per minute per IP
• Automatic cleanup of old buckets

TLS/HTTPS Support

• Optional TLS support via config
• Requires tls_key_file and tls_cert_file
• Automatically uses HTTPS if configured

Request Size Limits

• Configurable max request body size
• Default: 10MB
• Max header size: 1MB
• Timeouts: Read/Write 15s, Idle 60s

• Enable HTTPS
• Configure allowed_origins in config
• Consider rate limiting
• Consider moving JWT tokens to Authorization header
• Sanitize error messages

• Use strong JWT secrets
• Regularly rotate secrets
• Monitor logs for suspicious activity
• Keep Go dependencies updated