fix: mitigate WebSocket CSRF and restrict sensitive file permissions

apconfig.go

@@ -156,7 +156,7 @@ func SaveAPConfig(config *APConfig) error {
 
 	// Write updated configuration
 	newConfig := strings.Join(newLines, "\n")
-	if err := ioutil.WriteFile(hostapdConfigPath, []byte(newConfig), 0644); err != nil {
+	if err := ioutil.WriteFile(hostapdConfigPath, []byte(newConfig), 0600); err != nil {
 		return fmt.Errorf("failed to write hostapd config: %v", err)
 	}
 

ltemodem.go

@@ -662,7 +662,7 @@ func SaveLTEConfig(config *LTEConfig) error {
 	content := fmt.Sprintf("APN=%s\nUSERNAME=%s\nPASSWORD=%s\nAUTO_CONNECT=%t\n",
 		config.APN, config.Username, config.Password, config.AutoConnect)
 
-	return os.WriteFile(lteConfigPath, []byte(content), 0644)
+	return os.WriteFile(lteConfigPath, []byte(content), 0600)
 }
 
 // Write quectel-CM arguments to /userdata/lte.env for system service
@@ -678,7 +678,7 @@ func writeLTEEnv(config *LTEConfig) error {
 	}
 
 	// Write to /userdata/lte.env for quectel.sh to read
-	if err := os.WriteFile("/userdata/lte.env", []byte(args), 0644); err != nil {
+	if err := os.WriteFile("/userdata/lte.env", []byte(args), 0600); err != nil {
 		return fmt.Errorf("failed to write lte.env: %v", err)
 	}
 

rtk_config.go

@@ -119,7 +119,7 @@ func saveRTKConfig(config *RTKConfig) error {
 		return fmt.Errorf("failed to marshal RTK config: %v", err)
 	}
 
-	if err := os.WriteFile("/data/rtk_config.json", data, 0644); err != nil {
+	if err := os.WriteFile("/data/rtk_config.json", data, 0600); err != nil {
 		return fmt.Errorf("failed to write RTK config file: %v", err)
 	}
 

webserver.go

@@ -178,9 +178,34 @@ var (
 	startTime               time.Time
 	serialPort           io.Writer // Serial port for sending commands
 	serialPortMutex      sync.Mutex
-	upgrader             = websocket.Upgrader{
+	// allowedOrigins lists the origins permitted to connect via WebSocket.
+	// Add trusted origins here (e.g., "http://localhost:3000", "http://192.168.1.x:3000").
+	allowedOrigins = map[string]bool{
+		"http://localhost:3000":   true,
+		"http://127.0.0.1:3000":  true,
+		"http://localhost":       true,
+		"http://127.0.0.1":      true,
+	}
+
+	upgrader = websocket.Upgrader{
 		CheckOrigin: func(r *http.Request) bool {
-			return true // Allow all origins for now
+			origin := r.Header.Get("Origin")
+			// Allow requests with no Origin header (non-browser clients)
+			if origin == "" {
+				return true
+			}
+			// Check against the allow-list of trusted origins
+			if allowedOrigins[origin] {
+				return true
+			}
+			// Allow any origin on the local network (192.168.x.x, 10.x.x.x)
+			if strings.HasPrefix(origin, "http://192.168.") ||
+				strings.HasPrefix(origin, "http://10.") ||
+				strings.HasPrefix(origin, "http://172.") {
+				return true
+			}
+			log.Printf("WebSocket connection rejected: untrusted origin %q", origin)
+			return false
 		},
 	}
 )

wifimanager.go

@@ -304,7 +304,7 @@ func ConnectToWiFi(ssid, password string, keyMgmt string) error {
 	newConfig := currentConfig + networkBlock
 
 	// Write updated configuration
-	if err := ioutil.WriteFile(wpaSupplicantConf, []byte(newConfig), 0644); err != nil {
+	if err := ioutil.WriteFile(wpaSupplicantConf, []byte(newConfig), 0600); err != nil {
 		return fmt.Errorf("failed to write wpa_supplicant config: %v", err)
 	}