chore(RDODCP-912): Upstream sync v1.11.5#51
Merged
Merged
Conversation
Cherry-picked from upstream commit 44310b6. Previously, authfile ACL restrictions were only checked during the initial config handshake. This adds ACL enforcement at the tunnel layer when processing SSH channel requests, ensuring that each outbound connection is validated against the user's allowed addresses. This is a security enhancement that closes a gap where ACL restrictions could potentially be bypassed after initial authentication. Note: Dependency update commits (57d2249, 4df5fcf) were not included as the fork already has newer dependency versions than upstream v1.11.5. Co-Authored-By: Jaime Pillora <dev@jpillora.com>
Wiz Scan Summary
To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension. Pull Request Developer GuidanceQuestions? See the Wiz FAQ. Please contact the Security Office if you encounter issues with Wiz pull request scanning. |
OS-juhitasheth
approved these changes
Apr 6, 2026
arshiya-99
added a commit
that referenced
this pull request
Jul 13, 2026
Trivy flags CVE-2026-48113 on our build because the OutSystems fork tag `1.11.5-os.N` is a SemVer pre-release of `1.11.5`, sorting below the fixed version. The fix is already present via PR #51. Ref: RDODCP-917
arshiya-99
added a commit
that referenced
this pull request
Jul 13, 2026
* Fix race in tunnel waitGroup causing negative counter panic (jpillora#586) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Improve SOCKS auth: enforce per-user ACL on socks channels (jpillora#591) Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com> * clean workspace dependencies for release * Add .trivyignore to suppress CVE-2026-48113 false positive Trivy flags CVE-2026-48113 on our build because the OutSystems fork tag `1.11.5-os.N` is a SemVer pre-release of `1.11.5`, sorting below the fixed version. The fix is already present via PR #51. Ref: RDODCP-917 * Remove .trivyignore * Wire Verbose flag to client logger level (upstream jpillora#281) The Verbose field was present in Config but never used. Apply the missing half of upstream commit 200a8e2: set Logger.Info = c.Verbose so callers can control log verbosity programmatically. --------- Co-authored-by: Jaime Pillora <jpillora@gmail.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Upstream sync:
Cherry-picked from upstream commit 44310b6.
Previously, authfile ACL restrictions were only checked during the initial config handshake. This adds ACL enforcement at the tunnel layer when processing SSH channel requests, ensuring that each outbound connection is validated against the user's allowed addresses.
This is a security enhancement that closes a gap where ACL restrictions could potentially be bypassed after initial authentication.
Note: Dependency update commits (57d2249, 4df5fcf) were not included as the fork already has newer dependency versions than upstream v1.11.5.