Portlama

Appearance

Portlama E2E: 11 — Input Validation & Security Hardening

Started at 2026-03-28 22:39:06 UTC

Pre-flight: check onboarding is complete

Invalid UUID for tunnel operations

22:39:06 PATCH /api/tunnels/not-a-uuid returns 400
22:39:06 DELETE /api/tunnels/not-a-uuid returns 400
22:39:06 PATCH /api/tunnels/../etc/passwd rejected (HTTP 404)

Invalid UUID for site operations

22:39:06 DELETE /api/sites/not-a-uuid returns 400

Invalid invite token format

22:39:06 GET /api/invite/not-a-valid-token returns 400
22:39:06 POST /api/invite/not-a-valid-token/accept returns 400
22:39:06 Path traversal does not expose /etc/passwd

Invalid domain format in certs endpoint

22:39:06 POST /api/certs/a..b/renew returns 400
22:39:06 POST /api/certs/.../renew returns 400
22:39:06 POST /api/certs/evil.com;inject/renew returns 400

Subdomain injection attempts

22:39:06 Subdomain with semicolon rejected (HTTP 400)
22:39:06 Subdomain with newline rejected (HTTP 400)
22:39:06 Subdomain with path traversal rejected (HTTP 400)
22:39:06 Subdomain with uppercase rejected (HTTP 400)
22:39:06 Subdomain with 64 chars rejected (HTTP 400)

Port boundary validation

22:39:06 Port 0 rejected (HTTP 400)
22:39:06 Port 1023 rejected (HTTP 400)
22:39:06 Port 65536 rejected (HTTP 400)
22:39:06 Port -1 rejected (HTTP 400)
22:39:06 Port 'abc' (string) rejected (HTTP 400)

Malformed JSON bodies

22:39:06 Invalid JSON body to /api/tunnels returns 400
22:39:06 Empty body to /api/users rejected (HTTP 400)

File permissions

22:39:06 /etc/portlama/tunnels.json has correct permissions (600)
⏭️ 22:39:06 /etc/portlama/sites.json not found
22:39:06 panel.json has correct permissions (640)

Results

MetricCount
Passed24
Failed0
Skipped1
Total25

Released under the PolyForm Noncommercial License 1.0.0

Copyright 2026 Code Lama Software