fix(security): #190 — gate POST /templates/import behind AdminAuth

Closes #190 (HIGH). The route was registered on the root router with no auth middleware, letting any unauthenticated caller write arbitrary files into configsDir via a crafted template. Same vulnerability class as #164 (bundles/import) and path-traversal risk same as #103 (org/import). One-line gate via the existing wsAdmin pattern. Lazy-bootstrap fail-open preserved for fresh installs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-15 11:00:49 -07:00 · 2026-04-15 11:00:49 -07:00 · 7c9192063d
commit 7c9192063d
parent 458c743ad6
1 changed files with 6 additions and 1 deletions
--- a/platform/internal/router/router.go
+++ b/platform/internal/router/router.go
@ -308,7 +308,12 @@ func Setup(hub *ws.Hub, broadcaster *events.Broadcaster, prov *provisioner.Provi
 	// Templates
 	tmplh := handlers.NewTemplatesHandler(configsDir, dockerCli)
 	r.GET("/templates", tmplh.List)
-	r.POST("/templates/import", tmplh.Import)
+	// #190: POST /templates/import writes arbitrary files into configsDir.
+	// Must be admin-gated — same class as /bundles/import (#164) and /org/import.
+	{
+		tmplAdmin := r.Group("", middleware.AdminAuth(db.DB))
+		tmplAdmin.POST("/templates/import", tmplh.Import)
+	}
 	wsAuth.GET("/shared-context", tmplh.SharedContext)
 	wsAuth.PUT("/files", tmplh.ReplaceFiles)
 	wsAuth.GET("/files", tmplh.ListFiles)