admin_hg/cx-nexredirect
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
65 commits 1 branch 1 tag 411 KiB
Commit graph

36 commits

Author SHA1 Message Date
Hendrik Garske
99b00674fd v0.1.34 — security: command injection, version/health auth, SSRF 2026-05-21 15:06:15 +02:00
Hendrik Garske
71915dba04 v0.1.33 — fix: auto-update job fehlte in background scheduler 2026-05-21 14:51:47 +02:00
Hendrik
9da40724b4 Upgrade next to 15.5.18 to fix middleware bypass CVEs 
Fixes CVE-2026-44574 (CVSS 8.1), CVE-2026-44575 (CVSS 7.5),
CVE-2026-45109 (CVSS 7.5): attackers could bypass middleware auth
in App Router applications via dynamic route parameter injection
and segment-prefetch routes.

Also fixes CVE-2026-44579 (DoS, CVSS 7.5) and
CVE-2026-44576 (cache poisoning, CVSS 5.4).
 2026-05-15 16:51:04 +02:00
Hendrik Garske
44bb7810a7 v0.1.31 — fix: PDF-Export 403 wenn IP-Allowlist aktiv 
Puppeteer rendert /r/{token} intern von 127.0.0.1 — Allowlist-Check
blockierte auch Loopback-Adressen. Loopback (127.x, ::1, ::ffff:127.)
wird jetzt vor dem Allowlist-Check ausgenommen.
 2026-05-07 15:29:40 +02:00
Hendrik Garske
ee3a72ce50 v0.1.30 — fix: username-login; feature: IP-allowlist für Admin-UI 
- fix: username-Spalte in DB-DDL ergänzt + Migration für Bestandsdatenbanken;
  createSchema in /api/users speichert username jetzt korrekt (war immer NULL)
- feature: IP-Allowlist für Admin-UI — IPs/CIDR-Bereiche in Einstellungen
  konfigurierbar; Enforcement in server.ts vor Next.js-Handoff; /api/v1 bleibt
  offen; Lockout-Warnung wenn eigene IP nicht in der Liste
 2026-05-06 19:43:41 +02:00
Hendrik
a34fa9bfa8 v0.1.29 — auth: self-heal username column on first login if migration didn't run 2026-05-01 23:47:12 +02:00
Hendrik
25644e0ea2 v0.1.28 — security: nodemailer 8.0.7 (SMTP CRLF injection fixes), uuid 11.1.1 override durchsetzen 2026-05-01 23:41:30 +02:00
Hendrik
f06e6e7df0 v0.1.27 — fix: blocklist self-creates table; settings UI redesign mit overview-cards + edit-popups 2026-05-01 22:16:52 +02:00
Hendrik
c60a38091b v0.1.26 — SMTP + Passwort-vergessen, Username-Login, SHA256-Verifikation der Update-Tarballs 2026-05-01 22:06:55 +02:00
Hendrik
19d16bd0c5 Bump to 0.1.25 2026-05-01 22:00:05 +02:00
Hendrik
a4efe3bee2 v0.1.24 — Sign-out: client-side signOut() statt Default-NextAuth-Page (matched UI) 2026-05-01 21:46:35 +02:00
Hendrik
18157d0a2f v0.1.23 — UI: 'CoreX' aus Sichtbarkeit raus (Login, Setup, Sidebar, Report, Page-Title) 2026-05-01 21:45:51 +02:00
Hendrik
c81114f44c v0.1.22 — fix Internal Server Error on redirect: static hashIp import + resilient blocklist (no-op on schema miss) 2026-05-01 21:44:44 +02:00
Hendrik
9fce2e9db6 Bump to 0.1.21 2026-05-01 21:38:46 +02:00
Hendrik
91b7b2494e Bump to 0.1.20 2026-05-01 21:36:37 +02:00
Hendrik
91bb41ed05 v0.1.19 — browser-signal heuristic: require Sec-Fetch + Accept-Language + Accept html (2 von 3) 2026-05-01 21:01:44 +02:00
Hendrik
47690ff96d v0.1.18 — aggressive bot filter: scanner path patterns, short-UA skip, per-IP scan detector 2026-05-01 20:56:10 +02:00
Hendrik
79108b0693 v0.1.17 — sunset continue: link back to source domain (server resolves to target), nicht direkt zum Ziel 2026-05-01 20:45:33 +02:00
Hendrik
12f16e078b v0.1.16 — DNS records overview, domain edit form, bulk delete, group edit, CSV export, audit log 2026-05-01 20:41:26 +02:00
Hendrik
63df0fe8d6 v0.1.15 — self-healing sunset_config migration: check schema each boot, not just setting flag 2026-05-01 19:36:08 +02:00
Hendrik
4bd76c9eda v0.1.14 — direct PDF download via puppeteer + chromium, fix logo on cover 2026-05-01 19:34:08 +02:00
Hendrik
cb70fbacf5 v0.1.13 — PDF Report Redesign: A4 portrait, brand layout, sauberes page-break-Verhalten 2026-05-01 19:27:06 +02:00
Hendrik
cfb35034e9 Bump to 0.1.12 2026-05-01 19:22:20 +02:00
Hendrik
fd118b40bf v0.1.11 — PDF Report-Export mit Preset-Auswahl + Recharts-Tooltip-Fix 2026-05-01 19:16:05 +02:00
Hendrik
807911d026 v0.1.10 — caddy reload via 'caddy reload' CLI (avoids admin API Origin 403) 2026-05-01 19:09:45 +02:00
Hendrik
ab47513dd9 v0.1.9 — fix Caddy auto-HTTPS: chown Caddyfile to service user so app can regenerate per-domain blocks 2026-05-01 19:06:38 +02:00
Hendrik
96c541f8f6 v0.1.8 — security: bump next 15.5.15, postcss override, uuid 11 override 2026-05-01 19:00:17 +02:00
Hendrik
22d4e283b0 Bump to 0.1.7 2026-05-01 18:56:55 +02:00
Hendrik
d695d4c8c9 v0.1.6 — fix hit tracking: default 302, no-cache headers, 301-warning in UI 2026-05-01 18:53:46 +02:00
Hendrik
8fe9f13c56 Bump to 0.1.5 2026-05-01 18:48:01 +02:00
Hendrik
e371da26a3 Bump to 0.1.4 2026-05-01 18:41:48 +02:00
Hendrik
c710d874b1 v0.1.3 — update flow: detached restart, version-aware status, auto-reload UI, banner polling 2026-05-01 18:34:15 +02:00
Hendrik
3549c7cc9c Bump package.json to 0.1.2 2026-05-01 18:31:35 +02:00
Hendrik
c06a16d86e Prebuilt .next/ via GitHub Releases — install/update fetch tarball, skip build (saves ~25s) 2026-05-01 18:23:48 +02:00
Hendrik
9c4c959772 Add MIT license 2026-05-01 17:57:40 +02:00
Hendrik
d7272c5e58 Initial NexRedirect: redirect server with admin UI, analytics, API tokens, self-update 2026-05-01 17:51:12 +02:00