Skip to content

Commit 548a2b6

Browse files
authored
Merge pull request #883 from Wikid82/feature/beta-release
feat: add support for Ntfy notification provider
2 parents f237fa5 + c64890b commit 548a2b6

39 files changed

Lines changed: 2752 additions & 1007 deletions

.github/workflows/docker-build.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@ name: Docker Build, Publish & Test
2323
on:
2424
pull_request:
2525
push:
26-
branches: [main]
26+
branches: [main, development]
2727
workflow_dispatch:
2828
workflow_run:
2929
workflows: ["Docker Lint"]
@@ -42,7 +42,7 @@ env:
4242
TRIGGER_HEAD_SHA: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_sha || github.sha }}
4343
TRIGGER_REF: ${{ github.event_name == 'workflow_run' && format('refs/heads/{0}', github.event.workflow_run.head_branch) || github.ref }}
4444
TRIGGER_HEAD_REF: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_branch || github.head_ref }}
45-
TRIGGER_PR_NUMBER: ${{ github.event_name == 'workflow_run' && join(github.event.workflow_run.pull_requests.*.number, '') || github.event.pull_request.number }}
45+
TRIGGER_PR_NUMBER: ${{ github.event_name == 'workflow_run' && join(github.event.workflow_run.pull_requests.*.number, '') || format('{0}', github.event.pull_request.number) }}
4646
TRIGGER_ACTOR: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.actor.login || github.actor }}
4747

4848
jobs:

.grype.yaml

Lines changed: 0 additions & 232 deletions
Original file line numberDiff line numberDiff line change
@@ -4,83 +4,6 @@
44
# Documentation: https://github.com/anchore/grype#specifying-matches-to-ignore
55

66
ignore:
7-
# GHSA-69x3-g4r3-p962 / CVE-2026-25793: Nebula ECDSA Signature Malleability
8-
# Severity: HIGH (CVSS 8.1)
9-
# Package: github.com/slackhq/nebula v1.9.7 (embedded in /usr/bin/caddy)
10-
# Status: Cannot upgrade — smallstep/certificates v0.30.0-rc2 still pins nebula v1.9.x
11-
#
12-
# Vulnerability Details:
13-
# - ECDSA signature malleability allows bypassing certificate blocklists
14-
# - Attacker can forge alternate valid P256 ECDSA signatures for revoked
15-
# certificates (CVSSv3: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N)
16-
# - Only affects configurations using Nebula-based certificate authorities
17-
# (non-default and uncommon in Charon deployments)
18-
#
19-
# Root Cause (Compile-Time Dependency Lock):
20-
# - Caddy is built with caddy-security plugin, which transitively requires
21-
# github.com/smallstep/certificates. That package pins nebula v1.9.x.
22-
# - Checked: smallstep/certificates v0.27.5 → v0.30.0-rc2 all require nebula v1.9.4–v1.9.7.
23-
# The nebula v1.10 API removal breaks compilation in the
24-
# authority/provisioner package; xcaddy build fails with upgrade attempted.
25-
# - Dockerfile caddy-builder stage pins nebula@v1.9.7 (Renovate tracked) with
26-
# an inline comment explaining the constraint (Dockerfile line 247).
27-
# - Fix path: once smallstep/certificates releases a version requiring
28-
# nebula v1.10+, remove the pin and this suppression simultaneously.
29-
#
30-
# Risk Assessment: ACCEPTED (Low exploitability in Charon context)
31-
# - Charon uses standard ACME/Let's Encrypt TLS; Nebula VPN PKI is not
32-
# enabled by default and rarely configured in Charon deployments.
33-
# - Exploiting this requires a valid certificate sharing the same issuer as
34-
# a revoked one — an uncommon and targeted attack scenario.
35-
# - Container-level isolation reduces the attack surface further.
36-
#
37-
# Mitigation (active while suppression is in effect):
38-
# - Monitor smallstep/certificates releases at https://github.com/smallstep/certificates/releases
39-
# - Weekly CI security rebuild flags any new CVEs in the full image.
40-
# - Renovate annotation in Dockerfile (datasource=go depName=github.com/slackhq/nebula)
41-
# will surface the pin for review when xcaddy build becomes compatible.
42-
#
43-
# Review:
44-
# - Reviewed 2026-02-19: smallstep/certificates latest stable remains v0.27.5;
45-
# no release requiring nebula v1.10+ has shipped. Suppression extended 14 days.
46-
# - Reviewed 2026-03-13: smallstep/certificates stable still v0.27.5, extended 30 days.
47-
# - Next review: 2026-04-12. Remove suppression immediately once upstream fixes.
48-
#
49-
# Removal Criteria:
50-
# - smallstep/certificates releases a stable version requiring nebula v1.10+
51-
# - Update Dockerfile caddy-builder patch to use the new versions
52-
# - Rebuild image, run security scan, confirm suppression no longer needed
53-
# - Remove both this entry and the corresponding .trivyignore entry
54-
#
55-
# References:
56-
# - GHSA: https://github.com/advisories/GHSA-69x3-g4r3-p962
57-
# - CVE-2026-25793: https://nvd.nist.gov/vuln/detail/CVE-2026-25793
58-
# - smallstep/certificates: https://github.com/smallstep/certificates/releases
59-
# - Dockerfile pin: caddy-builder stage, line ~247 (go get nebula@v1.9.7)
60-
- vulnerability: GHSA-69x3-g4r3-p962
61-
package:
62-
name: github.com/slackhq/nebula
63-
version: "v1.9.7"
64-
type: go-module
65-
reason: |
66-
HIGH — ECDSA signature malleability in nebula v1.9.7 embedded in /usr/bin/caddy.
67-
Cannot upgrade: smallstep/certificates v0.27.5 (latest stable as of 2026-03-13)
68-
still requires nebula v1.9.x (verified across v0.27.5–v0.30.0-rc2). Charon does
69-
not use Nebula VPN PKI by default. Risk accepted pending upstream smallstep fix.
70-
Reviewed 2026-03-13: smallstep/certificates stable still v0.27.5, extended 30 days.
71-
expiry: "2026-04-12" # Re-evaluated 2026-03-13: smallstep/certificates stable still v0.27.5, extended 30 days.
72-
73-
# Action items when this suppression expires:
74-
# 1. Check smallstep/certificates releases: https://github.com/smallstep/certificates/releases
75-
# 2. If a stable version requires nebula v1.10+:
76-
# a. Update Dockerfile caddy-builder: remove the `go get nebula@v1.9.7` pin
77-
# b. Optionally bump smallstep/certificates to the new version
78-
# c. Rebuild Docker image and verify no compile failures
79-
# d. Re-run local security-scan-docker-image and confirm clean result
80-
# e. Remove this suppression entry
81-
# 3. If no fix yet: Extend expiry by 14 days and document justification
82-
# 4. If extended 3+ times: Open upstream issue on smallstep/certificates
83-
847
# CVE-2026-2673: OpenSSL TLS 1.3 server key exchange group downgrade
858
# Severity: HIGH (CVSS 7.5)
869
# Packages: libcrypto3 3.5.5-r0 and libssl3 3.5.5-r0 (Alpine apk)
@@ -153,161 +76,6 @@ ignore:
15376
Risk accepted pending Alpine upstream patch.
15477
expiry: "2026-04-18" # Initial 30-day review period. See libcrypto3 entry above for action items.
15578

156-
# CVE-2026-33186 / GHSA-p77j-4mvh-x3m3: gRPC-Go authorization bypass via missing leading slash
157-
# Severity: CRITICAL (CVSS 9.1)
158-
# Package: google.golang.org/grpc v1.74.2 (embedded in /usr/local/bin/crowdsec and /usr/local/bin/cscli)
159-
# Status: Fix available at v1.79.3 — waiting on CrowdSec upstream to release with patched grpc
160-
#
161-
# Vulnerability Details:
162-
# - gRPC-Go server path-based authorization (grpc/authz) fails to match deny rules when
163-
# the HTTP/2 :path pseudo-header is missing its leading slash (e.g., "Service/Method"
164-
# instead of "/Service/Method"), allowing a fallback allow-rule to grant access instead.
165-
# - CVSSv3: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
166-
#
167-
# Root Cause (Third-Party Binary):
168-
# - Charon's own grpc dependency is patched to v1.79.3 (updated 2026-03-19).
169-
# - CrowdSec ships grpc v1.74.2 compiled into its binary; Charon has no control over this.
170-
# - This is a server-side vulnerability. CrowdSec uses grpc as a server; Charon uses it
171-
# only as a client (via the Docker SDK). CrowdSec's internal grpc server is not exposed
172-
# to external traffic in a standard Charon deployment.
173-
# - Fix path: once CrowdSec releases a version built with grpc >= v1.79.3, rebuild the
174-
# Docker image (Renovate tracks the CrowdSec version) and remove this suppression.
175-
#
176-
# Risk Assessment: ACCEPTED (Constrained exploitability in Charon context)
177-
# - The vulnerable code path requires an attacker to reach CrowdSec's internal grpc server,
178-
# which is bound to localhost/internal interfaces in the Charon container network.
179-
# - Container-level isolation (no exposed grpc port) significantly limits exposure.
180-
# - Charon does not configure grpc/authz deny rules on CrowdSec's server.
181-
#
182-
# Mitigation (active while suppression is in effect):
183-
# - Monitor CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases
184-
# - Weekly CI security rebuild flags the moment a fixed CrowdSec image ships.
185-
#
186-
# Review:
187-
# - Reviewed 2026-03-19 (initial suppression): grpc v1.79.3 fix exists; CrowdSec has not
188-
# yet shipped an updated release. Suppression set for 14-day review given fix availability.
189-
# - Next review: 2026-04-02. Remove suppression once CrowdSec ships with grpc >= v1.79.3.
190-
#
191-
# Removal Criteria:
192-
# - CrowdSec releases a version built with google.golang.org/grpc >= v1.79.3
193-
# - Rebuild Docker image, run security-scan-docker-image, confirm finding is resolved
194-
# - Remove this entry and the corresponding .trivyignore entry simultaneously
195-
#
196-
# References:
197-
# - GHSA-p77j-4mvh-x3m3: https://github.com/advisories/GHSA-p77j-4mvh-x3m3
198-
# - CVE-2026-33186: https://nvd.nist.gov/vuln/detail/CVE-2026-33186
199-
# - grpc fix (v1.79.3): https://github.com/grpc/grpc-go/releases/tag/v1.79.3
200-
# - CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases
201-
- vulnerability: CVE-2026-33186
202-
package:
203-
name: google.golang.org/grpc
204-
version: "v1.74.2"
205-
type: go-module
206-
reason: |
207-
CRITICAL — gRPC-Go authorization bypass in grpc v1.74.2 embedded in /usr/local/bin/crowdsec
208-
and /usr/local/bin/cscli. Fix available at v1.79.3 (Charon's own dep is patched); waiting
209-
on CrowdSec upstream to release with patched grpc. CrowdSec's grpc server is not exposed
210-
externally in a standard Charon deployment. Risk accepted pending CrowdSec upstream fix.
211-
Reviewed 2026-03-19: CrowdSec has not yet released with grpc >= v1.79.3.
212-
expiry: "2026-04-02" # 14-day review: fix exists at v1.79.3; check CrowdSec releases.
213-
214-
# Action items when this suppression expires:
215-
# 1. Check CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases
216-
# 2. If CrowdSec ships with grpc >= v1.79.3:
217-
# a. Renovate should auto-PR the new CrowdSec version in the Dockerfile
218-
# b. Merge the Renovate PR, rebuild Docker image
219-
# c. Run local security-scan-docker-image and confirm grpc v1.74.2 is gone
220-
# d. Remove this suppression entry and the corresponding .trivyignore entry
221-
# 3. If no fix yet: Extend expiry by 14 days and document justification
222-
# 4. If extended 3+ times: Open an upstream issue on crowdsecurity/crowdsec
223-
224-
# CVE-2026-33186 (Caddy) — see full justification in the CrowdSec entry above
225-
# Package: google.golang.org/grpc v1.79.1 (embedded in /usr/bin/caddy)
226-
# Status: Fix available at v1.79.3 — waiting on a new Caddy release built with patched grpc
227-
- vulnerability: CVE-2026-33186
228-
package:
229-
name: google.golang.org/grpc
230-
version: "v1.79.1"
231-
type: go-module
232-
reason: |
233-
CRITICAL — gRPC-Go authorization bypass in grpc v1.79.1 embedded in /usr/bin/caddy.
234-
Fix available at v1.79.3; waiting on Caddy upstream to release a build with patched grpc.
235-
Caddy's grpc server is not exposed externally in a standard Charon deployment.
236-
Risk accepted pending Caddy upstream fix. Reviewed 2026-03-19: no Caddy release with grpc >= v1.79.3 yet.
237-
expiry: "2026-04-02" # 14-day review: fix exists at v1.79.3; check Caddy releases.
238-
239-
# Action items when this suppression expires:
240-
# 1. Check Caddy releases: https://github.com/caddyserver/caddy/releases
241-
# (or the custom caddy-builder in the Dockerfile for caddy-security plugin)
242-
# 2. If a new Caddy build ships with grpc >= v1.79.3:
243-
# a. Update the Caddy version pin in the Dockerfile caddy-builder stage
244-
# b. Rebuild Docker image and run local security-scan-docker-image
245-
# c. Remove this suppression entry and the corresponding .trivyignore entry
246-
# 3. If no fix yet: Extend expiry by 14 days and document justification
247-
# 4. If extended 3+ times: Open an issue on caddyserver/caddy
248-
249-
# GHSA-479m-364c-43vc: goxmldsig XML signature validation bypass (loop variable capture)
250-
# Severity: HIGH (CVSS 7.5)
251-
# Package: github.com/russellhaering/goxmldsig v1.5.0 (embedded in /usr/bin/caddy)
252-
# Status: Fix available at v1.6.0 — waiting on a new Caddy release built with patched goxmldsig
253-
#
254-
# Vulnerability Details:
255-
# - Loop variable capture in validateSignature causes the signature reference to always
256-
# point to the last element in SignedInfo.References; an attacker can substitute signed
257-
# element content and bypass XML signature integrity validation (CWE-347, CWE-682).
258-
# - CVSSv3: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
259-
#
260-
# Root Cause (Third-Party Binary):
261-
# - Charon does not use goxmldsig directly. The package is compiled into /usr/bin/caddy
262-
# via the caddy-security plugin's SAML/SSO support.
263-
# - Fix path: once Caddy (or the caddy-security plugin) releases a build with
264-
# goxmldsig >= v1.6.0, rebuild the Docker image and remove this suppression.
265-
#
266-
# Risk Assessment: ACCEPTED (Low exploitability in default Charon context)
267-
# - The vulnerability only affects SAML/XML signature validation workflows.
268-
# - Charon does not enable or configure SAML-based SSO in its default setup.
269-
# - Exploiting this requires an active SAML integration, which is non-default.
270-
#
271-
# Mitigation (active while suppression is in effect):
272-
# - Monitor caddy-security plugin releases: https://github.com/greenpau/caddy-security/releases
273-
# - Monitor Caddy releases: https://github.com/caddyserver/caddy/releases
274-
# - Weekly CI security rebuild flags the moment a fixed image ships.
275-
#
276-
# Review:
277-
# - Reviewed 2026-03-19 (initial suppression): goxmldsig v1.6.0 fix exists; Caddy has not
278-
# yet shipped with the updated dep. Set 14-day review given fix availability.
279-
# - Next review: 2026-04-02. Remove suppression once Caddy ships with goxmldsig >= v1.6.0.
280-
#
281-
# Removal Criteria:
282-
# - Caddy (or caddy-security plugin) releases a build with goxmldsig >= v1.6.0
283-
# - Rebuild Docker image, run security-scan-docker-image, confirm finding is resolved
284-
# - Remove this entry and the corresponding .trivyignore entry simultaneously
285-
#
286-
# References:
287-
# - GHSA-479m-364c-43vc: https://github.com/advisories/GHSA-479m-364c-43vc
288-
# - goxmldsig v1.6.0 fix: https://github.com/russellhaering/goxmldsig/releases/tag/v1.6.0
289-
# - caddy-security plugin: https://github.com/greenpau/caddy-security/releases
290-
- vulnerability: GHSA-479m-364c-43vc
291-
package:
292-
name: github.com/russellhaering/goxmldsig
293-
version: "v1.5.0"
294-
type: go-module
295-
reason: |
296-
HIGH — XML signature validation bypass in goxmldsig v1.5.0 embedded in /usr/bin/caddy.
297-
Fix available at v1.6.0; waiting on Caddy upstream to release a build with patched goxmldsig.
298-
Charon does not configure SAML-based SSO by default; the vulnerable XML signature path
299-
is not reachable in a standard deployment. Risk accepted pending Caddy upstream fix.
300-
Reviewed 2026-03-19: no Caddy release with goxmldsig >= v1.6.0 yet.
301-
expiry: "2026-04-02" # 14-day review: fix exists at v1.6.0; check Caddy/caddy-security releases.
302-
303-
# Action items when this suppression expires:
304-
# 1. Check caddy-security releases: https://github.com/greenpau/caddy-security/releases
305-
# 2. If a new build ships with goxmldsig >= v1.6.0:
306-
# a. Update the Caddy version pin in the Dockerfile caddy-builder stage if needed
307-
# b. Rebuild Docker image and run local security-scan-docker-image
308-
# c. Remove this suppression entry and the corresponding .trivyignore entry
309-
# 3. If no fix yet: Extend expiry by 14 days and document justification
310-
31179
# GHSA-6g7g-w4f8-9c9x: buger/jsonparser Delete panic on malformed JSON (DoS)
31280
# Severity: HIGH (CVSS 7.5)
31381
# Package: github.com/buger/jsonparser v1.1.1 (embedded in /usr/local/bin/crowdsec and /usr/local/bin/cscli)

CHANGELOG.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
99

1010
### Added
1111

12+
- **Notifications:** Added Ntfy notification provider with support for self-hosted and cloud instances, optional Bearer token authentication, and JSON template customization
13+
1214
- **Certificate Deletion**: Clean up expired and unused certificates directly from the Certificates page
1315
- Expired Let's Encrypt certificates not attached to any proxy host can now be deleted
1416
- Custom and staging certificates remain deletable when not in use
@@ -55,6 +57,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
5557

5658
### Fixed
5759

60+
- **Notifications:** Fixed Pushover token-clearing bug where tokens were silently stripped on provider create/update
5861
- **TCP Monitor Creation**: Fixed misleading form UX that caused silent HTTP 500 errors when creating TCP monitors
5962
- Corrected URL placeholder to show `host:port` format instead of the incorrect `tcp://host:port` prefix
6063
- Added dynamic per-type placeholder and helper text (HTTP monitors show a full URL example; TCP monitors show `host:port`)

Dockerfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,7 @@ ARG CADDY_CANDIDATE_VERSION=2.11.2
4343
ARG CADDY_USE_CANDIDATE=0
4444
ARG CADDY_PATCH_SCENARIO=B
4545
# renovate: datasource=go depName=github.com/greenpau/caddy-security
46-
ARG CADDY_SECURITY_VERSION=1.1.50
46+
ARG CADDY_SECURITY_VERSION=1.1.51
4747
# renovate: datasource=go depName=github.com/corazawaf/coraza-caddy
4848
ARG CORAZA_CADDY_VERSION=2.2.0
4949
## When an official caddy image tag isn't available on the host, use a

0 commit comments

Comments
 (0)