taiars/nora
1
0
Fork 0
mirror of https://github.com/getnora-io/nora.git synced 2026-04-12 13:50:31 +00:00
Code Issues Packages Projects Releases Wiki Activity
238 Commits 3 Branches 38 Tags
12d4a28d345c7757e4fea90cdcbcc12dda8f09b2
Commit Graph

52 Commits

Author SHA1 Message Date
devitway
a968016815 release: bump version to v0.2.34 2026-03-20 19:46:42 +00:00
devitway
4ec95fed43 fix(deps): update tar 0.4.44 -> 0.4.45 
Fixes CVE-2026-33055 (PAX size header bypass) and
CVE-2026-33056 (symlink chmod directory traversal).
 2026-03-20 19:32:46 +00:00
devitway
6fa5dfd534 release: bump version to v0.2.33 2026-03-19 11:08:51 +00:00
devitway
c1f6430aa9 security: harden Docker registry and container runtime 
- Verify blob digest (SHA256) on upload, reject mismatches (DIGEST_INVALID)
- Reject sha512 digests (only sha256 supported)
- Add upload session limits: max 100 concurrent, 2GB per session, 30min TTL
- Bind upload sessions to repository name (prevent session fixation)
- Filter .meta.json from Docker tag list (fix ArgoCD Image Updater recursion)
- Fix catalog to show namespaced images (library/alpine instead of library)
- Add security headers: CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
- Run containers as non-root user (USER nora) in all 3 Dockerfiles
- Add configurable NORA_MAX_UPLOAD_SESSIONS and NORA_MAX_UPLOAD_SESSION_SIZE_MB
 2026-03-19 08:29:28 +00:00
devitway
3b9b2ee0a0 chore: repo cleanup — remove dead crates from workspace, stale files, duplicate assets 
- Remove nora-cli and nora-storage from workspace (stub crates, not used)
- Remove root install.sh (duplicate of dist/install.sh)
- Remove root logo.jpg (duplicate of ui/logo.jpg)
- Remove committed SBOM .cdx.json files (generated by CI in release)
- Remove stale .githooks/ (real hook is in .git/hooks/)
- Update version in docs-ru to 0.2.32
- Add *.cdx.json to .gitignore
 2026-03-18 11:20:22 +00:00
devitway
aa86633a04 security: add cargo-fuzz targets and ClusterFuzzLite config 
Fuzz targets:
- fuzz_validation: storage key, Docker name, digest, reference validators
- fuzz_docker_manifest: Docker/OCI manifest media type detection

Infrastructure:
- lib.rs exposing validation module and docker_fuzz for fuzz harnesses
- ClusterFuzzLite project config (libfuzzer + ASan)
 2026-03-17 11:20:17 +00:00
devitway
638f99d8dc Merge pull request #32 from getnora-io/dependabot/cargo/tracing-subscriber-0.3.23 
chore(deps): bump tracing-subscriber from 0.3.22 to 0.3.23
 2026-03-17 13:38:22 +03:00
devitway
c55307a3af Merge pull request #31 from getnora-io/dependabot/cargo/clap-4.6.0 
chore(deps): bump clap from 4.5.60 to 4.6.0
 2026-03-17 13:38:20 +03:00
dependabot[bot]
41eefdd90d chore(deps): bump tracing-subscriber from 0.3.22 to 0.3.23 
Bumps [tracing-subscriber](https://github.com/tokio-rs/tracing) from 0.3.22 to 0.3.23.
- [Release notes](https://github.com/tokio-rs/tracing/releases)
- [Commits](https://github.com/tokio-rs/tracing/compare/tracing-subscriber-0.3.22...tracing-subscriber-0.3.23)

---
updated-dependencies:
- dependency-name: tracing-subscriber
  dependency-version: 0.3.23
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-03-17 04:25:13 +00:00
dependabot[bot]
94ca418155 chore(deps): bump clap from 4.5.60 to 4.6.0 
Bumps [clap](https://github.com/clap-rs/clap) from 4.5.60 to 4.6.0.
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/clap_complete-v4.5.60...clap_complete-v4.6.0)

---
updated-dependencies:
- dependency-name: clap
  dependency-version: 4.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-03-17 04:25:03 +00:00
dependabot[bot]
e72648a6c4 chore(deps): bump tempfile from 3.26.0 to 3.27.0 
Bumps [tempfile](https://github.com/Stebalien/tempfile) from 3.26.0 to 3.27.0.
- [Changelog](https://github.com/Stebalien/tempfile/blob/master/CHANGELOG.md)
- [Commits](https://github.com/Stebalien/tempfile/compare/v3.26.0...v3.27.0)

---
updated-dependencies:
- dependency-name: tempfile
  dependency-version: 3.27.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-03-17 04:24:55 +00:00
devitway
b3b74b8b2d feat: npm full proxy — URL rewriting, scoped packages, publish, integrity cache (v0.2.31) 
npm proxy:
- Rewrite tarball URLs in metadata to point to NORA (was broken — tarballs bypassed NORA)
- Scoped packages (@scope/package) full support in handler and repo index
- Metadata cache TTL (NORA_NPM_METADATA_TTL, default 300s) with stale-while-revalidate
- proxy_auth now wired into fetch_from_proxy (was configured but unused)

npm publish:
- PUT /npm/{package} — accepts standard npm publish payload
- Version immutability — 409 Conflict on duplicate version
- Tarball URL rewriting in published metadata

Security:
- SHA256 integrity verification on cached tarballs (immutable cache)
- Attachment filename validation (path traversal protection)
- Package name mismatch detection (URL vs payload)

Config:
- npm.metadata_ttl — configurable cache TTL (env: NORA_NPM_METADATA_TTL)
 2026-03-16 12:32:16 +00:00
devitway
5a68bfd695 fix: dashboard — docker namespaced repos, npm proxy cache, upstream display (v0.2.30) 2026-03-16 08:55:33 +00:00
devitway
53884e143b v0.2.29: upstream auth, remove dead code, version bump 
- Remove unused DockerAuth::fetch_with_auth() method
- Fix basic_auth_header docstring
- Bump to v0.2.29
 2026-03-15 21:42:49 +00:00
devitway
272898f43c fix: quinn-proto CVE, add Telegram @getnora, fix website URL 2026-03-13 16:44:20 +00:00
devitway
68089b2bbf chore: bump version to 0.2.28 2026-03-12 19:23:32 +00:00
devitway
af411a2bf4 Merge pull request #28 from getnora-io/dependabot/cargo/toml-1.0.6spec-1.1.0 
chore(deps): bump toml from 1.0.3+spec-1.1.0 to 1.0.6+spec-1.1.0
 2026-03-12 22:14:13 +03:00
devitway
96ccd16879 Merge pull request #27 from getnora-io/dependabot/cargo/uuid-1.22.0 
chore(deps): bump uuid from 1.21.0 to 1.22.0
 2026-03-12 22:14:09 +03:00
devitway
6582000789 Merge pull request #26 from getnora-io/dependabot/cargo/tokio-1.50.0 
chore(deps): bump tokio from 1.49.0 to 1.50.0
 2026-03-12 22:14:06 +03:00
dependabot[bot]
9349b93757 chore(deps): bump toml from 1.0.3+spec-1.1.0 to 1.0.6+spec-1.1.0 
Bumps [toml](https://github.com/toml-rs/toml) from 1.0.3+spec-1.1.0 to 1.0.6+spec-1.1.0.
- [Commits](https://github.com/toml-rs/toml/compare/toml-v1.0.3...toml-v1.0.6)

---
updated-dependencies:
- dependency-name: toml
  dependency-version: 1.0.6+spec-1.1.0
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-03-10 04:26:09 +00:00
dependabot[bot]
69080dfd90 chore(deps): bump uuid from 1.21.0 to 1.22.0 
Bumps [uuid](https://github.com/uuid-rs/uuid) from 1.21.0 to 1.22.0.
- [Release notes](https://github.com/uuid-rs/uuid/releases)
- [Commits](https://github.com/uuid-rs/uuid/compare/v1.21.0...v1.22.0)

---
updated-dependencies:
- dependency-name: uuid
  dependency-version: 1.22.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-03-10 04:25:59 +00:00
dependabot[bot]
ae799aed94 chore(deps): bump tokio from 1.49.0 to 1.50.0 
Bumps [tokio](https://github.com/tokio-rs/tokio) from 1.49.0 to 1.50.0.
- [Release notes](https://github.com/tokio-rs/tokio/releases)
- [Commits](https://github.com/tokio-rs/tokio/compare/tokio-1.49.0...tokio-1.50.0)

---
updated-dependencies:
- dependency-name: tokio
  dependency-version: 1.50.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-03-10 04:25:50 +00:00
dependabot[bot]
95c6e403a8 chore(deps): bump bcrypt from 0.18.0 to 0.19.0 
Bumps [bcrypt](https://github.com/Keats/rust-bcrypt) from 0.18.0 to 0.19.0.
- [Commits](https://github.com/Keats/rust-bcrypt/compare/v0.18.0...v0.19.0)

---
updated-dependencies:
- dependency-name: bcrypt
  dependency-version: 0.19.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-03-10 04:25:38 +00:00
devitway
a9455c35b9 chore: bump version to 0.2.27 2026-03-03 22:30:24 +00:00
devitway
4c3a9f6bd5 chore: bump version to 0.2.26 
DevITWay
 2026-03-03 10:41:38 +00:00
devitway
e34032d08f chore: bump version to 0.2.25 
Changes:
- fix(rate-limit): NORA_RATE_LIMIT_ENABLED flag + SmartIpKeyExtractor
- deps: clap 4.5.60, uuid 1.21.0, tempfile 3.26.0, bcrypt 0.18.0, indicatif 0.18.4
- ci: checkout v6, upload-artifact v7, gh-release v2, trivy v0.34.2, build-push v6
 2026-03-03 09:16:20 +00:00
devitway
45c3e276dc Merge pull request #8 from getnora-io/dependabot/cargo/indicatif-0.18.4 
chore(deps): bump indicatif from 0.17.11 to 0.18.4
 2026-03-03 12:13:33 +03:00
dependabot[bot]
f4e53b85dd chore(deps): bump indicatif from 0.17.11 to 0.18.4 
Bumps [indicatif](https://github.com/console-rs/indicatif) from 0.17.11 to 0.18.4.
- [Release notes](https://github.com/console-rs/indicatif/releases)
- [Commits](https://github.com/console-rs/indicatif/compare/0.17.11...0.18.4)

---
updated-dependencies:
- dependency-name: indicatif
  dependency-version: 0.18.4
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-03-03 09:13:21 +00:00
devitway
05d89d5153 Merge pull request #18 from getnora-io/dependabot/cargo/bcrypt-0.18.0 
chore(deps): bump bcrypt from 0.17.1 to 0.18.0
 2026-03-03 12:13:20 +03:00
devitway
b149f7ebd4 Merge pull request #19 from getnora-io/dependabot/cargo/tempfile-3.26.0 
chore(deps): bump tempfile from 3.24.0 to 3.26.0
 2026-03-03 12:12:32 +03:00
devitway
5254e2a54a Merge pull request #17 from getnora-io/dependabot/cargo/uuid-1.21.0 
chore(deps): bump uuid from 1.20.0 to 1.21.0
 2026-03-03 12:12:19 +03:00
dependabot[bot]
4c05df2359 chore(deps): bump clap from 4.5.56 to 4.5.60 
Bumps [clap](https://github.com/clap-rs/clap) from 4.5.56 to 4.5.60.
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/clap_complete-v4.5.56...clap_complete-v4.5.60)

---
updated-dependencies:
- dependency-name: clap
  dependency-version: 4.5.60
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-03-03 08:53:05 +00:00
devitway
7f8e3cfe68 fix(rate-limit): add NORA_RATE_LIMIT_ENABLED flag and SmartIpKeyExtractor 
- Add enabled field to RateLimitConfig (default: true, env: NORA_RATE_LIMIT_ENABLED)
- Skip rate limiter layers entirely when disabled
- Replace PeerIpKeyExtractor with SmartIpKeyExtractor for upload/general routes
  to correctly identify clients behind reverse proxies and Docker bridge networks
- Keep PeerIpKeyExtractor for auth routes (stricter brute-force protection)

Root cause: PeerIpKeyExtractor saw all Docker bridge traffic as single IP (172.17.0.1),
exhausting GCRA bucket for all clients simultaneously. With burst=1M, recovery time
reached 84000+ seconds.
 2026-03-03 08:51:33 +00:00
dependabot[bot]
13f33e8919 chore(deps): bump tempfile from 3.24.0 to 3.26.0 
Bumps [tempfile](https://github.com/Stebalien/tempfile) from 3.24.0 to 3.26.0.
- [Changelog](https://github.com/Stebalien/tempfile/blob/master/CHANGELOG.md)
- [Commits](https://github.com/Stebalien/tempfile/compare/v3.24.0...v3.26.0)

---
updated-dependencies:
- dependency-name: tempfile
  dependency-version: 3.26.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-03-03 04:26:40 +00:00
dependabot[bot]
7454ff2e03 chore(deps): bump bcrypt from 0.17.1 to 0.18.0 
Bumps [bcrypt](https://github.com/Keats/rust-bcrypt) from 0.17.1 to 0.18.0.
- [Commits](https://github.com/Keats/rust-bcrypt/compare/v0.17.1...v0.18.0)

---
updated-dependencies:
- dependency-name: bcrypt
  dependency-version: 0.18.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-03-03 04:26:29 +00:00
dependabot[bot]
5ffb5a9be3 chore(deps): bump uuid from 1.20.0 to 1.21.0 
Bumps [uuid](https://github.com/uuid-rs/uuid) from 1.20.0 to 1.21.0.
- [Release notes](https://github.com/uuid-rs/uuid/releases)
- [Commits](https://github.com/uuid-rs/uuid/compare/v1.20.0...v1.21.0)

---
updated-dependencies:
- dependency-name: uuid
  dependency-version: 1.21.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-03-03 04:26:15 +00:00
devitway
4ad802ce2f fix: bump prometheus 0.13->0.14 and bytes 1.11.0->1.11.1 (CVE-2025-53605, CVE-2026-25541) 2026-02-24 11:36:07 +00:00
dependabot[bot]
04c806b659 chore(deps): bump chrono from 0.4.43 to 0.4.44 (#10) 
Bumps [chrono](https://github.com/chronotope/chrono) from 0.4.43 to 0.4.44.
- [Release notes](https://github.com/chronotope/chrono/releases)
- [Changelog](https://github.com/chronotope/chrono/blob/main/CHANGELOG.md)
- [Commits](https://github.com/chronotope/chrono/compare/v0.4.43...v0.4.44)

---
updated-dependencies:
- dependency-name: chrono
  dependency-version: 0.4.44
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-02-24 12:23:06 +01:00
dependabot[bot]
50a5395a87 chore(deps): bump quick-xml from 0.31.0 to 0.39.2 (#9) 
Bumps [quick-xml](https://github.com/tafia/quick-xml) from 0.31.0 to 0.39.2.
- [Release notes](https://github.com/tafia/quick-xml/releases)
- [Changelog](https://github.com/tafia/quick-xml/blob/master/Changelog.md)
- [Commits](https://github.com/tafia/quick-xml/compare/v0.31.0...v0.39.2)

---
updated-dependencies:
- dependency-name: quick-xml
  dependency-version: 0.39.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-02-24 12:22:58 +01:00
dependabot[bot]
bcd172f23f chore(deps): bump toml from 0.8.23 to 1.0.3+spec-1.1.0 (#7) 
Bumps [toml](https://github.com/toml-rs/toml) from 0.8.23 to 1.0.3+spec-1.1.0.
- [Commits](https://github.com/toml-rs/toml/compare/toml-v0.8.23...toml-v1.0.3)

---
updated-dependencies:
- dependency-name: toml
  dependency-version: 1.0.3+spec-1.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-02-24 12:22:52 +01:00
dependabot[bot]
a5a7c4f8be chore(deps): bump flate2 from 1.1.8 to 1.1.9 (#6) 
Bumps [flate2](https://github.com/rust-lang/flate2-rs) from 1.1.8 to 1.1.9.
- [Release notes](https://github.com/rust-lang/flate2-rs/releases)
- [Commits](https://github.com/rust-lang/flate2-rs/compare/1.1.8...1.1.9)

---
updated-dependencies:
- dependency-name: flate2
  dependency-version: 1.1.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-02-24 12:22:46 +01:00
devitway
42e71b9195 refactor: use shared reqwest::Client across all registry handlers 
Add http_client field to AppState, initialized once at startup.
Replace per-request Client::builder() calls in npm, maven, pypi,
and docker registry handlers with the shared instance.
This reuses the connection pool across requests instead of
creating a new client on every proxy fetch.

Bump version to 0.2.20.
 2026-02-23 07:45:44 +00:00
DevITWay
eb77060114 perf: add in-memory repo index with pagination 
- Add repo_index.rs with lazy rebuild on write operations
- Double-checked locking to prevent race conditions
- npm optimization: count tarballs instead of parsing metadata.json
- Add pagination to all registry list pages (?page=1&limit=50)
- Invalidate index on PUT/proxy cache in docker/maven/npm/pypi

Performance: 500-800x faster list page loads after first rebuild
 2026-01-31 15:59:00 +00:00
DevITWay
b29a0309d4 feat: add S3 authentication and fix Docker multi-segment routes 
S3 Storage:
- Implement AWS Signature v4 for S3-compatible storage (MinIO, AWS)
- Add s3_access_key, s3_secret_key, s3_region config options
- Support both authenticated and anonymous S3 access
- Add proper URI encoding for S3 canonical requests

Docker Registry:
- Fix routing for multi-segment image names (e.g., library/alpine)
- Add namespace routes for two-segment paths (/v2/{ns}/{name}/...)
- Add debug tracing for upstream proxy operations

Config:
- Add NORA_STORAGE_S3_ACCESS_KEY env var
- Add NORA_STORAGE_S3_SECRET_KEY env var
- Add NORA_STORAGE_S3_REGION env var (default: us-east-1)
 2026-01-30 23:22:22 +00:00
DevITWay
5fc4237ac5 feat: add Docker image metadata support 
- Store metadata (.meta.json) alongside manifests with:
  - push_timestamp, last_pulled, downloads counter
  - size_bytes, os, arch, variant
  - layers list with digest and size
- Update metadata on manifest pull (increment downloads, update last_pulled)
- Extract OS/arch from config blob on push
- Extend UI API TagInfo with metadata fields
- Add public_url config option for pull commands
- Add Docker upstream proxy with auth support
- Add raw repository support
- Bump version to 0.2.12
 2026-01-30 15:52:29 +00:00
DevITWay
ee4e01467a feat: add secrets provider architecture 
Trait-based secrets management for secure credential handling:
- SecretsProvider trait for pluggable backends
- EnvProvider as default (12-Factor App pattern)
- ProtectedString with zeroize (memory zeroed on drop)
- Redacted Debug impl prevents secret leakage in logs
- S3Credentials struct for future AWS S3 integration
- Config: [secrets] section with provider and clear_env options

Foundation for AWS Secrets Manager, Vault, K8s (v0.4.0+)
 2026-01-30 10:02:58 +00:00
DevITWay
d162e96841 Add i18n support, PyPI proxy, and UI improvements 
- Add Russian/English language switcher with cookie persistence
- Add PyPI proxy support with caching (like npm)
- Add height limits to Activity Log and Mount Points tables
- Change Cargo icon to delivery truck
- Replace graphical logo with styled text "NORA"
- Bump version to 0.2.11
 2026-01-26 19:31:28 +00:00
DevITWay
411bc75e5e Apply dark theme to all UI pages 
- Convert registry list, docker detail, package detail, maven detail pages to dark theme
- Use layout_dark instead of layout for all pages
- Update colors: bg-[#1e293b] cards, slate-700 borders, slate-200/400 text
- Mark unused light theme functions with #[allow(dead_code)]
 2026-01-26 18:43:11 +00:00
DevITWay
86130a80ce Display version dynamically in UI sidebar 
- Add VERSION constant using CARGO_PKG_VERSION
- Show version in both light and dark theme sidebars
- Update workspace version to 0.2.7
 2026-01-26 17:31:39 +00:00
DevITWay
f1cda800a2 Fix Docker push/pull: add PATCH endpoint for chunked uploads 
- Add PATCH handler for /v2/{name}/blobs/uploads/{uuid} to support
  chunked blob uploads (Docker sends data chunks via PATCH)
- Include Range header in PATCH response to indicate bytes received
- Add Docker-Content-Digest header to GET manifest responses
- Store manifests by both tag and digest for proper pull support
- Add parking_lot dependency for upload session state management
 2026-01-26 12:01:05 +00:00