release: nexus btpanel session fix and app-v2
This commit is contained in:
@@ -0,0 +1,31 @@
|
||||
---
|
||||
name: nexus-btpanel-review
|
||||
description: Use when reviewing or changing Nexus BT/宝塔 panel integration, one-click login, API bootstrap, session keepalive fixes, or BT credential handling.
|
||||
---
|
||||
|
||||
# Nexus BT Panel Review
|
||||
|
||||
Use for 宝塔/BT panel integration changes.
|
||||
|
||||
## Call chain to map
|
||||
|
||||
API one-click login -> btpanel_service -> BT API credential lookup/bootstrap -> SSH bootstrap if needed -> login URL/tmp_token -> panel session behavior.
|
||||
|
||||
## Required checks
|
||||
|
||||
- Do not log or return BT API keys, session cookies, temporary login tokens, SSH private keys, or passwords.
|
||||
- One-click login should fail closed for real authentication errors, but best-effort environment repair must not block login unless required for correctness.
|
||||
- Session keepalive/cleanup repair must be idempotent and throttled; do not restart or rewrite BT panel aggressively without explicit approval.
|
||||
- Respect existing BT panel services and ports. Do not occupy panel, nginx, redis, or mysql ports.
|
||||
- Old servers with existing BT API credentials must still receive the session-cleanup TTL check before login.
|
||||
- Record bootstrap state without storing secrets.
|
||||
|
||||
## Regression tests
|
||||
|
||||
Cover:
|
||||
|
||||
- Existing credentials still trigger throttled TTL check.
|
||||
- Missing SSH auth does not block login URL generation.
|
||||
- Failed repair is throttled and retried later.
|
||||
- Temporary login token TTL remains bounded.
|
||||
- No secret values appear in returned bootstrap/status payloads.
|
||||
@@ -0,0 +1,40 @@
|
||||
---
|
||||
name: nexus-security-review
|
||||
description: Use when reviewing or changing Nexus backend/API/security-sensitive code. Focuses on FastAPI admin APIs, SQLAlchemy data access, SSH operations, file manager boundaries, logging redaction, and regression tests.
|
||||
---
|
||||
|
||||
# Nexus Security Review
|
||||
|
||||
Use this skill before changing Nexus backend/API code or doing a security pass.
|
||||
|
||||
## Required workflow
|
||||
|
||||
1. Identify entrypoints: FastAPI router, service method, DB model/session, Redis/lock usage, SSH/BT panel call.
|
||||
2. Draw the request path in notes: API -> schema -> service -> DB/Redis/SSH/external.
|
||||
3. Check auth first: admin-only endpoints must depend on the current admin dependency; background/admin tools must still preserve audit logs.
|
||||
4. Validate every user-controlled value at the schema/API boundary and again before shell/path-sensitive sinks.
|
||||
5. For every fix, add pytest coverage for the dangerous case and the allowed case.
|
||||
6. Run focused tests, then full pytest when practical, then git diff --check.
|
||||
7. Update the Nexus Markdown report with changed files, tests, and residual risks.
|
||||
|
||||
## Nexus-specific rules
|
||||
|
||||
- Do not print secrets: passwords, SSH keys, tokens, cookies, API keys, .env values, BT panel credentials.
|
||||
- script_service is an intentional administrator remote shell. Do not report arbitrary shell execution there as a vulnerability. Review only auth, audit trail, timeout, output truncation, and redaction.
|
||||
- File manager APIs must not unexpectedly operate outside the target path/server chosen by the admin UI.
|
||||
- Any remote shell command must use shlex.quote; add -- where command options can be confused with filenames.
|
||||
- Archive extraction must list and validate members before extraction; reject absolute paths, .., backslashes, and special file types.
|
||||
- Error responses must not expose stack traces or secrets.
|
||||
- DB access should use SQLAlchemy parameters/query builder, not raw string interpolation.
|
||||
|
||||
## Review output
|
||||
|
||||
For each finding record:
|
||||
|
||||
- Severity: Critical/High/Medium/Low/Hardening
|
||||
- Call chain
|
||||
- Evidence file/function
|
||||
- Exploit or failure boundary
|
||||
- Fix summary
|
||||
- Test command/result
|
||||
- Commit hash if committed
|
||||
@@ -0,0 +1,29 @@
|
||||
---
|
||||
name: nexus-ssh-safety
|
||||
description: Use when reviewing or editing Nexus code that executes commands on managed servers over SSH, including file manager, transfer, archive, agent install, and BT panel bootstrap flows.
|
||||
---
|
||||
|
||||
# Nexus SSH Safety
|
||||
|
||||
Use for any Nexus feature that builds shell commands or transfers files over SSH.
|
||||
|
||||
## Command construction rules
|
||||
|
||||
- Prefer argument arrays/local library APIs when available; otherwise quote every dynamic shell token with shlex.quote.
|
||||
- Insert -- before filename/path operands for commands that parse options:
|
||||
m, mv, cp, ar, zip, chmod, chown, etc.
|
||||
- Never concatenate unquoted user input into shell command strings.
|
||||
- Keep timeouts explicit for network/SSH work; avoid unbounded commands.
|
||||
- Truncate or sanitize command output before returning it to API clients.
|
||||
- Do not log secrets or full credential-bearing URLs.
|
||||
|
||||
## Path and archive rules
|
||||
|
||||
- Normalize paths with POSIX semantics for remote Linux paths.
|
||||
- Reject empty paths where dangerous, root/system paths for recursive destructive operations, and traversal where the feature expects a bounded directory.
|
||||
- Archive creation must protect member names beginning with -.
|
||||
- Archive extraction must validate member names and types before extraction.
|
||||
- Temporary files/directories must be unique and cleaned best-effort.
|
||||
|
||||
## script_service exception
|
||||
|
||||
Reference in New Issue
Block a user