From 4d2d65803bb7cce531025417ceedd6f664d7f45a Mon Sep 17 00:00:00 2001 From: Patrick Mulligan Date: Sun, 11 Jan 2026 20:03:39 +0100 Subject: [PATCH] Fix security vulnerabilities in lamassu module MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Fix SQL injection in PostgreSQL password setup by using psql's parameterized variable syntax (:'password') instead of direct string interpolation - Change skip2FA default to false for secure-by-default behavior 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 --- modules/lamassu-lnbits.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/lamassu-lnbits.nix b/modules/lamassu-lnbits.nix index 041c5c2..0c09e66 100644 --- a/modules/lamassu-lnbits.nix +++ b/modules/lamassu-lnbits.nix @@ -128,8 +128,8 @@ in skip2FA = mkOption { type = types.bool; - default = true; - description = "Skip 2FA authentication (useful for initial setup)"; + default = false; + description = "Skip 2FA authentication (only enable for initial setup, then disable)"; }; database = { @@ -252,7 +252,7 @@ in for i in {1..30}; do if ${pkgs.postgresql}/bin/psql -tAc "SELECT 1 FROM pg_roles WHERE rolname='${cfg.database.user}'" | grep -q 1; then password=$(cat ${secretsDir}/lamassu-db-password) - ${pkgs.postgresql}/bin/psql -c "ALTER USER \"${cfg.database.user}\" WITH PASSWORD '$password';" + ${pkgs.postgresql}/bin/psql -v password="$password" -c "ALTER USER \"${cfg.database.user}\" WITH PASSWORD :'password';" exit 0 fi sleep 1