security: harden API endpoints against injection, open redirect, and abuse

- Fix shell injection in install scripts via base64 encoding of custom_script
  and sanitization of username/slug before shell interpolation
- Fix open redirect in OAuth login and callback (validate return_to at both
  entry and redirect points)
- Add input validation for custom_script (max 10k, no null bytes) and
  dotfiles_repo (HTTPS-only, allowlisted hosts)
- Add in-memory sliding window rate limiting across all API endpoints
- Add security headers (CSP, HSTS, X-Frame-Options, nosniff) to all responses
  including early-return script/redirect responses
- Use crypto.getRandomValues() for CLI device code generation
- Add payload size validation (100KB max) for snapshot uploads
- Genericize error messages to prevent information leakage

Author: fullstackjam

src/hooks.server.ts

@@ -3,11 +3,43 @@ import { generateInstallScript } from '$lib/server/install-script';
 
 const INSTALL_SCRIPT_URL = 'https://raw.githubusercontent.com/openbootdotdev/openboot/main/scripts/install.sh';
 
+const SECURITY_HEADERS: Record<string, string> = {
+	'X-Frame-Options': 'DENY',
+	'X-Content-Type-Options': 'nosniff',
+	'Referrer-Policy': 'strict-origin-when-cross-origin',
+	'Permissions-Policy': 'camera=(), microphone=(), geolocation=()',
+	'X-XSS-Protection': '0',
+	'Strict-Transport-Security': 'max-age=31536000; includeSubDomains',
+	'Content-Security-Policy': [
+		"default-src 'self'",
+		"script-src 'self' 'unsafe-inline'",
+		"style-src 'self' 'unsafe-inline'",
+		"img-src 'self' https: data:",
+		"font-src 'self' https://fonts.gstatic.com",
+		"connect-src 'self' https://api.github.com https://accounts.google.com https://oauth2.googleapis.com https://formulae.brew.sh https://registry.npmjs.org",
+		"frame-ancestors 'none'",
+		"base-uri 'self'",
+		"form-action 'self' https://github.com https://accounts.google.com"
+	].join('; ')
+};
+
+function withSecurityHeaders(response: Response): Response {
+	const headers = new Headers(response.headers);
+	for (const [key, value] of Object.entries(SECURITY_HEADERS)) {
+		headers.set(key, value);
+	}
+	return new Response(response.body, {
+		status: response.status,
+		statusText: response.statusText,
+		headers
+	});
+}
+
 export const handle: Handle = async ({ event, resolve }) => {
 	const path = event.url.pathname;
 
 	if (path === '/install.sh') {
-		return Response.redirect(INSTALL_SCRIPT_URL, 302);
+		return withSecurityHeaders(Response.redirect(INSTALL_SCRIPT_URL, 302));
 	}
 
 	const shortAliasMatch = path.match(/^\/([a-z0-9-]+)$/);
@@ -31,14 +63,14 @@ export const handle: Handle = async ({ event, resolve }) => {
 
 					env.DB.prepare('UPDATE configs SET install_count = install_count + 1 WHERE alias = ?').bind(alias).run().catch(() => {});
 
-					return new Response(script, {
+					return withSecurityHeaders(new Response(script, {
 						headers: {
 							'Content-Type': 'text/plain; charset=utf-8',
 							'Cache-Control': 'no-cache'
 						}
-					});
+					}));
 				} else if (isBrowser) {
-					return Response.redirect(`/${config.username}/${config.slug}`, 302);
+					return withSecurityHeaders(Response.redirect(`/${config.username}/${config.slug}`, 302));
 				}
 			}
 		}
@@ -65,17 +97,18 @@ export const handle: Handle = async ({ event, resolve }) => {
 
 						env.DB.prepare('UPDATE configs SET install_count = install_count + 1 WHERE user_id = ? AND slug = ?').bind(user.id, slug).run().catch(() => {});
 
-						return new Response(script, {
+						return withSecurityHeaders(new Response(script, {
 							headers: {
 								'Content-Type': 'text/plain; charset=utf-8',
 								'Cache-Control': 'no-cache'
 							}
-						});
+						}));
 					}
 				}
 			}
 		}
 	}
 
-	return resolve(event);
+	const response = await resolve(event);
+	return withSecurityHeaders(response);
 };

src/lib/server/install-script.ts

@@ -1,15 +1,22 @@
+function sanitizeShellArg(value: string): string {
+	return value.replace(/[^a-zA-Z0-9_\-]/g, '');
+}
+
 export function generateInstallScript(
 	username: string,
 	slug: string,
 	customScript: string,
 	dotfilesRepo: string
 ): string {
+	const safeUsername = sanitizeShellArg(username);
+	const safeSlug = sanitizeShellArg(slug);
+
 	return `#!/bin/bash
 set -e
 
 echo "========================================"
 echo "  OpenBoot - Custom Install"
-echo "  Config: @${username}/${slug}"
+echo "  Config: @${safeUsername}/${safeSlug}"
 echo "========================================"
 echo ""
 
@@ -66,16 +73,17 @@ echo "Downloading OpenBoot..."
 curl -fsSL "\$OPENBOOT_URL" -o "\$OPENBOOT_BIN"
 chmod +x "\$OPENBOOT_BIN"
 
-echo "Using remote config: @${username}/${slug}"
-"\$OPENBOOT_BIN" --user ${username}/${slug} "\$@"
+echo "Using remote config: @${safeUsername}/${safeSlug}"
+"\$OPENBOOT_BIN" --user "${safeUsername}/${safeSlug}" "\$@"
 
 ${
 		customScript
 			? `
 echo ""
 echo "=== Running Custom Post-Install Script ==="
 set +e
-${customScript}
+CUSTOM_SCRIPT_B64="${btoa(unescape(encodeURIComponent(customScript)))}"
+echo "\$CUSTOM_SCRIPT_B64" | base64 -d | bash
 CUSTOM_SCRIPT_EXIT=$?
 set -e
 if [ $CUSTOM_SCRIPT_EXIT -ne 0 ]; then
@@ -94,6 +102,11 @@ echo "=== Setting up Dotfiles ==="
 DOTFILES_REPO="${dotfilesRepo}"
 DOTFILES_DIR="\$HOME/.dotfiles"
 
+if [[ ! "\$DOTFILES_REPO" =~ ^https:// ]]; then
+  echo "Error: Invalid dotfiles repo URL (must use HTTPS)"
+  exit 1
+fi
+
 if [ -d "\$DOTFILES_DIR" ]; then
   echo "Dotfiles directory already exists at \$DOTFILES_DIR"
   echo "Pulling latest changes..."

src/lib/server/rate-limit.ts

@@ -0,0 +1,83 @@
+/**
+ * In-memory sliding window rate limiter (per Worker isolate).
+ *
+ * PRODUCTION NOTE: This is NOT globally consistent across Cloudflare Workers isolates.
+ * For production-grade global rate limiting, configure Cloudflare Rate Limiting rules:
+ * https://developers.cloudflare.com/waf/rate-limiting-rules/
+ *
+ * Recommended Cloudflare rule:
+ *   - Rate: 100 requests per minute per IP
+ *   - Action: Block with 429 status
+ *   - Scope: /api/*
+ */
+
+interface RateLimitConfig {
+	maxRequests: number;
+	windowMs: number;
+}
+
+interface RateLimitResult {
+	allowed: boolean;
+	retryAfter?: number;
+}
+
+class RateLimiter {
+	private requests: Map<string, number[]> = new Map();
+	private lastCleanup: number = Date.now();
+	private readonly CLEANUP_INTERVAL_MS = 60000;
+
+	check(key: string, config: RateLimitConfig): RateLimitResult {
+		const now = Date.now();
+		const windowStart = now - config.windowMs;
+
+		if (now - this.lastCleanup > this.CLEANUP_INTERVAL_MS) {
+			this.cleanup(now);
+		}
+
+		let timestamps = this.requests.get(key) || [];
+		timestamps = timestamps.filter((ts) => ts > windowStart);
+
+		if (timestamps.length >= config.maxRequests) {
+			const oldestInWindow = timestamps[0];
+			const retryAfter = oldestInWindow + config.windowMs - now;
+			return { allowed: false, retryAfter: Math.max(retryAfter, 0) };
+		}
+
+		timestamps.push(now);
+		this.requests.set(key, timestamps);
+		return { allowed: true };
+	}
+
+	private cleanup(now: number): void {
+		const cutoff = now - 600000;
+		for (const [key, timestamps] of this.requests.entries()) {
+			const recent = timestamps.filter((ts) => ts > cutoff);
+			if (recent.length === 0) {
+				this.requests.delete(key);
+			} else {
+				this.requests.set(key, recent);
+			}
+		}
+		this.lastCleanup = now;
+	}
+}
+
+const rateLimiter = new RateLimiter();
+
+export function getRateLimitKey(endpoint: string, identifier: string): string {
+	return `${endpoint}:${identifier}`;
+}
+
+export const RATE_LIMITS = {
+	AUTH_LOGIN: { maxRequests: 10, windowMs: 60000 },
+	AUTH_CALLBACK: { maxRequests: 10, windowMs: 60000 },
+	CLI_START: { maxRequests: 5, windowMs: 60000 },
+	CLI_APPROVE: { maxRequests: 10, windowMs: 60000 },
+	CLI_POLL: { maxRequests: 20, windowMs: 60000 },
+	CONFIG_READ: { maxRequests: 30, windowMs: 60000 },
+	CONFIG_WRITE: { maxRequests: 30, windowMs: 60000 }
+} as const;
+
+export function checkRateLimit(key: string, config: RateLimitConfig): RateLimitResult {
+	return rateLimiter.check(key, config);
+}

src/lib/server/validation.ts

@@ -0,0 +1,90 @@
+interface ValidationResult {
+	valid: boolean;
+	error?: string;
+}
+
+/** Validates custom script: max 10k chars, no null bytes. Base64-encoded at generation time to prevent shell injection. */
+export function validateCustomScript(script: string | null | undefined): ValidationResult {
+	if (!script) {
+		return { valid: true };
+	}
+
+	if (typeof script !== 'string') {
+		return { valid: false, error: 'Custom script must be a string' };
+	}
+
+	if (script.length > 10000) {
+		return { valid: false, error: 'Custom script must be less than 10,000 characters' };
+	}
+
+	if (script.includes('\x00')) {
+		return { valid: false, error: 'Custom script contains invalid characters' };
+	}
+
+	return { valid: true };
+}
+
+/** Validates dotfiles repo URL: HTTPS only, allowed hosts (github/gitlab/bitbucket/codeberg), valid path, max 500 chars. */
+export function validateDotfilesRepo(url: string | null | undefined): ValidationResult {
+	if (!url || url === '') {
+		return { valid: true };
+	}
+
+	if (typeof url !== 'string') {
+		return { valid: false, error: 'Dotfiles repo must be a string' };
+	}
+
+	if (url.length > 500) {
+		return { valid: false, error: 'Dotfiles repo URL is too long' };
+	}
+
+	if (!url.startsWith('https://')) {
+		return { valid: false, error: 'Dotfiles repo must use HTTPS' };
+	}
+
+	try {
+		const parsed = new URL(url);
+		const hostname = parsed.hostname.toLowerCase();
+
+		const allowedHosts = ['github.com', 'gitlab.com', 'bitbucket.org', 'codeberg.org'];
+		const isAllowed = allowedHosts.includes(hostname);
+
+		if (!isAllowed) {
+			return {
+				valid: false,
+				error: 'Dotfiles repo must be hosted on GitHub, GitLab, Bitbucket, or Codeberg'
+			};
+		}
+
+		if (parsed.pathname.includes('..') || parsed.pathname.includes('//')) {
+			return { valid: false, error: 'Invalid dotfiles repo URL path' };
+		}
+
+		if (!/^\/[\w\-\.\/]+(?:\.git)?$/.test(parsed.pathname)) {
+			return { valid: false, error: 'Invalid dotfiles repo URL format' };
+		}
+
+		return { valid: true };
+	} catch {
+		return { valid: false, error: 'Invalid dotfiles repo URL' };
+	}
+}
+
+/** Validates return_to path — prevents open redirect (relative paths only, safe chars).
+ *  Allows query strings (needed for cli-auth?code=XXX flow). */
+export function validateReturnTo(path: string | null | undefined): boolean {
+	if (!path || typeof path !== 'string') {
+		return false;
+	}
+
+	if (!path.startsWith('/')) {
+		return false;
+	}
+
+	if (path.startsWith('//')) {
+		return false;
+	}
+
+	// Allow path + optional query string with safe characters
+	return /^\/[a-zA-Z0-9\-_/]*(\?[a-zA-Z0-9\-_=&%]*)?$/.test(path);
+}

src/routes/api/auth/callback/github/+server.ts

@@ -1,14 +1,22 @@
-import { redirect } from '@sveltejs/kit';
+import { redirect, json } from '@sveltejs/kit';
 import type { RequestHandler } from './$types';
 import { signToken, generateId } from '$lib/server/auth';
+import { checkRateLimit, getRateLimitKey, RATE_LIMITS } from '$lib/server/rate-limit';
+import { validateReturnTo } from '$lib/server/validation';
 
 const GITHUB_TOKEN_URL = 'https://github.com/login/oauth/access_token';
 const GITHUB_USER_URL = 'https://api.github.com/user';
 
-export const GET: RequestHandler = async ({ url, platform, cookies }) => {
+export const GET: RequestHandler = async ({ url, platform, cookies, request }) => {
 	const env = platform?.env;
 	if (!env) throw new Error('Platform env not available');
 
+	const clientIp = request.headers.get('cf-connecting-ip') || 'unknown';
+	const rl = checkRateLimit(getRateLimitKey('auth-callback-github', clientIp), RATE_LIMITS.AUTH_CALLBACK);
+	if (!rl.allowed) {
+		return json({ error: 'Rate limit exceeded' }, { status: 429, headers: { 'Retry-After': String(Math.ceil(rl.retryAfter! / 1000)) } });
+	}
+
 	const code = url.searchParams.get('code');
 	const state = url.searchParams.get('state');
 	const savedState = cookies.get('auth_state');
@@ -101,7 +109,8 @@ export const GET: RequestHandler = async ({ url, platform, cookies }) => {
 		maxAge: thirtyDays
 	});
 
-	const returnTo = cookies.get('auth_return_to') || '/dashboard';
+	const returnToRaw = cookies.get('auth_return_to') || '/dashboard';
+	const returnTo = validateReturnTo(returnToRaw) ? returnToRaw : '/dashboard';
 	cookies.delete('auth_state', { path: '/' });
 	cookies.delete('auth_return_to', { path: '/' });
 

src/routes/api/auth/callback/google/+server.ts

@@ -1,14 +1,22 @@
-import { redirect } from '@sveltejs/kit';
+import { redirect, json } from '@sveltejs/kit';
 import type { RequestHandler } from './$types';
 import { signToken, generateId, slugify } from '$lib/server/auth';
+import { checkRateLimit, getRateLimitKey, RATE_LIMITS } from '$lib/server/rate-limit';
+import { validateReturnTo } from '$lib/server/validation';
 
 const GOOGLE_TOKEN_URL = 'https://oauth2.googleapis.com/token';
 const GOOGLE_USERINFO_URL = 'https://www.googleapis.com/oauth2/v2/userinfo';
 
-export const GET: RequestHandler = async ({ url, platform, cookies }) => {
+export const GET: RequestHandler = async ({ url, platform, cookies, request }) => {
 	const env = platform?.env;
 	if (!env) throw new Error('Platform env not available');
 
+	const clientIp = request.headers.get('cf-connecting-ip') || 'unknown';
+	const rl = checkRateLimit(getRateLimitKey('auth-callback-google', clientIp), RATE_LIMITS.AUTH_CALLBACK);
+	if (!rl.allowed) {
+		return json({ error: 'Rate limit exceeded' }, { status: 429, headers: { 'Retry-After': String(Math.ceil(rl.retryAfter! / 1000)) } });
+	}
+
 	const code = url.searchParams.get('code');
 	const state = url.searchParams.get('state');
 	const savedState = cookies.get('auth_state');
@@ -103,7 +111,8 @@ export const GET: RequestHandler = async ({ url, platform, cookies }) => {
 			maxAge: thirtyDays
 		});
 
-		const returnTo = cookies.get('auth_return_to') || '/dashboard';
+		const returnToRaw = cookies.get('auth_return_to') || '/dashboard';
+		const returnTo = validateReturnTo(returnToRaw) ? returnToRaw : '/dashboard';
 		cookies.delete('auth_state', { path: '/' });
 		cookies.delete('auth_return_to', { path: '/' });