kqjy/MyFSIO
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 33 Wiki Activity

33 Releases 33 Tags

RSS Feed
  • v0.2.4 d5ca7a8be1
    Compare

    MyFSIO v0.2.4 Beta Pre-Release

    kqjy released this 2026-02-01 10:36:38 +00:00 | 121 commits to main since this release

    Added

    • Configurable rate limits for S3 API endpoints with SlowDown error code tracking for 429 responses
    • Environment variables for configuring previously hardcoded timeouts and limits
    • Site registry UI and documentation for geo-distributed deployments
      • Replication setup wizard and site-level sync dashboard
      • Bidirectional replication setup verification and improved UX warnings
    • ALLOW_INTERNAL_ENDPOINTS configuration for self-hosted internal network deployments
    • New S3 API implementations:
      • UploadPartCopy: Copy existing object range as multipart part
      • Bucket Replication (GET/PUT/DELETE /<bucket>?replication): Standard AWS S3 replication config API
      • PostObject: Browser-based form uploads with policy signing
      • SelectObjectContent: SQL queries on CSV/JSON/Parquet using DuckDB
    • Restrictive file permissions (0o600) for master key files on Unix and Windows ACLs for encryption keys
    • AAD (Additional Authenticated Data) to all AES-GCM encryption operations
    • Constant-time comparison for credentials and session tokens
    • CORS origin and HTTP method validation
    • HKDF for streaming encryption nonce derivation
    • Support for AES_128 and AES_256 key_spec in KMS data key generation
    • File locking for atomic master key creation
    • Persistent authentication lockout state to disk
    • Input validation for admin API endpoints and remote JSON schema in bidirectional checks

    Changed

    • Reduced credential cache TTL from 60s to 10s
    • Improved KMS error handling with structured logging
    • Updated documentation for site registry and geo-distribution features

    Fixed

    • Bidirectional-status 404 when UI runs separately from API
    • 403 auth error on bidirectional-status endpoint by adding dedicated UI endpoint
    • Bidirectional sync UI issues
    • Auth bypass and user enumeration vulnerabilities
    • XML entity DoS (Denial of Service) vulnerabilities
    • Multipart upload race conditions
    • Unicode path traversal issues
    • Silent permission failures (now return explicit errors instead of falling back)
    • Data key operations without AAD
    • KMS streaming weaknesses
    • Credential cache storing plaintext secrets (now properly encrypted/hashed)
    • Thread safety issues in session token validation
    • Cache invalidation on credential rotation
    • list_objects pagination silently ignoring exceptions (now returns error on invalid continuation tokens)
    • Bucket policy enforcement for POST object uploads
    • Open redirects via URL whitelist validation
    • SSRF (Server-Side Request Forgery) in webhooks and admin API endpoints
    • X-Forwarded-For spoofing via trusted proxy configuration
    • Information leakage through error message sanitization
    Downloads