diff --git a/CHANGELOG.md b/CHANGELOG.md index da343f1..7ff10c1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,19 @@ --- +## [v0.35] Security hardening +*April 5, 2026 | 433 tests* + +### Security fixes +- **ENV race condition (HIGH):** Two concurrent sessions could interleave `os.environ` writes, clobbering workspace and session keys. Fixed with a global `_ENV_LOCK` in `streaming.py` that serializes the env save/restore block across all sessions. (#108) +- **Predictable signing key (MEDIUM):** Session cookies were signed with `sha256(STATE_DIR)` -- deterministic and forgeable if the install path is known. Now generates a cryptographically random 32-byte key on first startup, persisted to `STATE_DIR/.signing_key` (chmod 600). (#108) +- **Upload path traversal (MEDIUM):** Filenames like `..` survived the `[^\w.\-]` sanitization regex because dots are allowed. Fixed by rejecting dot-only filenames and validating the resolved path stays within the workspace sandbox via `safe_resolve_ws()`. (#108) +- **Weak password hashing (MEDIUM):** Bare SHA-256 with a predictable salt replaced with PBKDF2-SHA256 at 600k iterations (OWASP recommendation) using the random signing key as salt. No new dependencies (stdlib `hashlib.pbkdf2_hmac`). (#108) + +**Breaking change:** Existing session cookies and password hashes are invalidated on first restart after upgrade. Users with password auth enabled will need to re-set their password. + +--- + ## [v0.34.3] Light theme final polish *April 5, 2026 | 433 tests* diff --git a/ROADMAP.md b/ROADMAP.md index 0733e82..8f6ac9d 100644 --- a/ROADMAP.md +++ b/ROADMAP.md @@ -3,7 +3,7 @@ > Goal: Full 1:1 parity with the Hermes CLI experience via a clean dark web UI. > Everything you can do from the CLI terminal, you can do from this UI. > -> Last updated: v0.34.3 (April 5, 2026) +> Last updated: v0.35 (April 5, 2026) > Tests: 433 total (433 passing, 0 failures) > Source: / @@ -46,6 +46,7 @@ | v0.34.1 | Theme variable polish | 30+ hardcoded dark-navy colors replaced with theme-aware CSS variables | 433 | | v0.34.2 | Theme text colors | 5 new per-theme typography variables (--strong, --em, --code-text, --code-inline-bg, --pre-text) | 433 | | v0.34.3 | Light theme final polish | 46 light-scoped selector overrides for sidebar, roles, chips, interactive elements | 433 | +| v0.35 | Security hardening | Env race fix, random signing key, upload path traversal, PBKDF2 password hash | 433 | --- diff --git a/SPRINTS.md b/SPRINTS.md index 92afe04..5f37bcd 100644 --- a/SPRINTS.md +++ b/SPRINTS.md @@ -1,6 +1,6 @@ # Hermes Web UI -- Forward Sprint Plan -> Current state: v0.34.3 | 433 tests | Daily driver ready +> Current state: v0.35 | 433 tests | Daily driver ready > This document plans the path from here to two targets: > > Target A: 1:1 feature parity with the Hermes CLI (everything you can do from the @@ -1156,6 +1156,6 @@ New test cases in `tests/test_sprint26.py`: --- *Last updated: April 5, 2026* -*Current version: v0.34.3 | 433 tests* +*Current version: v0.35 | 433 tests* *Next sprint: Sprint 24 (Web Polish + Bug Fix Pass)* *Horizon sprint: Sprint 25 (macOS Desktop Application)* diff --git a/static/index.html b/static/index.html index b474d16..cf7458d 100644 --- a/static/index.html +++ b/static/index.html @@ -14,7 +14,7 @@