c20f9af712
fix: multiple security vulnerabilities (SSRF, path traversal)
...
- Remove POST /diff/files endpoint that allowed arbitrary host file reads
(CWE-22); clients must now read files locally and POST content to
/diff/blobs instead
- Add validatePublicURL() to /info remote endpoints, rejecting URLs that
resolve to loopback, private, link-local, or multicast addresses to
prevent SSRF; also remove attacker-controlled proxy/insecure params
- Add SanitizeArchivePath() helper that verifies extracted archive entry
paths stay within the destination directory (zip-slip / tar-slip,
CWE-22); replace bare filepath.Join(dest, filepath.Clean(name)) calls
in SearchZip, OTA parser, AA payload extractor, and ota_extract
- Fix server listen address to use net.JoinHostPort to respect Host config
2026-04-11 14:37:41 -06:00
cb138b0bc4
docs: update CLI docs
2025-03-29 22:31:06 -06:00
2aacaf66d2
feat: add NEW /macho/info/strings route to ipswd
2024-10-14 14:54:40 -06:00
bfb1587367
docs: fix API docs for /syms/rescan
2024-10-02 14:48:47 -06:00
b236da9b7d
chore: change /syms/rescan from POST to PUT
2024-09-26 12:56:54 -06:00
db74fb9cc4
docs: add API docs for /syms/rescan route
2024-09-25 16:06:29 -06:00
fda8c8e071
fix: postgres name/path table joins
2024-09-25 15:22:37 -06:00
5947486258
chore: also add sig_dir as an optional POST query param in addition to config setting
2024-09-19 19:23:28 -06:00
91ccb2b225
docs: update symbolicate guide to include symbol server daemon config example
2024-09-19 19:11:19 -06:00
455d715be5
docs: update CLI docs
2024-07-27 23:33:06 -06:00
639ce7ea38
docs: fix API docs
2024-07-10 15:02:39 -06:00
24ac286b16
docs: fix API return type for /aea/fcs-keys
2024-07-10 14:53:06 -06:00
87edee4d16
docs: add API docs for /aea route
2024-07-10 14:40:51 -06:00
ea06906388
Update swagger.json
2024-07-08 22:19:22 -06:00
5cce056e0c
chore: add ability for the ipsw symbolicate symbol server to tell you it doesn't have the required IPSW scanned yet
2024-07-05 17:37:15 -06:00
29b8785af8
feat: add support for using **symbol server** with ipsw symbolicate command
2024-07-05 15:03:25 -06:00
4e1d85458e
docs: smol fix
2024-07-04 00:28:23 -06:00
e4633fb3a2
docs: minor API doc fix
2024-07-03 17:43:39 -06:00
5a9da7d4b0
docs: fix API docs
2024-07-03 17:16:12 -06:00
9f56962735
feat: add ability to query symbols via ipswd API routes /api/syms/:uuid and /api/syms/:uuid/:addr
2024-07-03 17:02:08 -06:00
1dda3daa4f
docs: update docs
2024-07-02 20:50:45 -06:00
7704d0e57c
chore(deps): bump dep
2024-05-31 11:23:03 -06:00
4dc914773c
Update swagger.json
2023-11-16 09:28:59 -07:00
c82fc4400b
chore: improve ipsw dyld commands tab-completions
2023-11-15 20:44:09 -07:00
da74430c69
docs: fix docs
2023-09-06 18:40:40 -06:00
2636e87751
Update swagger.json
2023-08-21 10:39:44 -06:00
172025f25f
fix: ipsw extract --kernel --json output to include devices 🥝
2023-08-03 17:54:19 +12:00
7f1c78b9d7
chore(deps): add support for NEW launch constraints CS slots
2023-07-24 10:12:59 -06:00
b61f4b91c5
feat: add /extract/sptm route to ipswd 🥝
2023-06-12 16:56:15 -06:00
6d304268af
fix: ipsw search cmds to scan ObjC category classes AND check sub-prots for categories and classes
2023-05-24 18:50:42 -06:00
e300560876
doc: update ipswd /unmount API docs
2023-05-24 14:22:05 -06:00
c892027ea2
doc: update docs
2023-05-24 11:31:46 -06:00
c7fdf3b19b
fix: allow ipswd route /dsc/a2s to stream output vs. waiting until done
2023-04-27 17:39:45 -06:00
e6f00279d5
doc: update
2023-04-27 14:17:24 -06:00
7b8d4925f6
fix: rm /dsc/split route from non-darwin ipswd
2023-04-27 14:08:44 -06:00
b8b15107f0
doc: minor API doc update
2023-04-27 13:28:57 -06:00
fc7e67310f
doc: add routes to API docs
2023-04-27 13:18:28 -06:00
5e6749b3da
doc: switch /dsc/slide from GET to POST
2023-04-25 21:58:02 -06:00
fa83dfd731
feat: add ipswd /dsc/slide and /dsc/split routes
2023-04-25 21:50:38 -06:00
99b36d7c4b
doc: add /diff param doc
2023-04-20 15:48:06 -06:00
85f6dcd72d
feat: add ipswd API /diff routes
2023-04-20 12:01:09 -06:00
19f569f8b9
Update swagger.json
2023-04-18 18:55:26 -06:00
27a3dce7f8
doc: add MANY response types to swagger docs
2023-04-18 18:16:40 -06:00
1aadc75eba
feat: add ipswd /dsc/webkit API route
2023-04-18 15:32:34 -06:00
8219f0e3a4
docs: trying to improve some swag docs
2023-04-16 23:00:53 -06:00
8556e2b71c
docs: fix /dsc route params
2023-04-16 12:18:09 -06:00
d6abb0b3f4
docs: add API description
2023-04-13 21:53:38 -06:00
6c32139915
docs: change API header
2023-04-13 21:38:04 -06:00
5a47bfddf8
feat: add NEW /ipsw/fs/launchd route to ipswd
2023-04-13 21:01:39 -06:00
d19b996ca5
chore: change /extract routes to POSTs
2023-04-13 20:48:07 -06:00
blacktop