Jul 2nd, 2022
Reverse Shell Vulnerability Fix
A reverse shell, also known as a remote shell or “connect-back shell,” takes advantage of the target system’s vulnerabilities to initiate a shell session and then access the victim’s computer. The goal is to connect to a remote computer and redirect the input and output connections of the target system’s shell so the attacker can access it remotely.
During our beta testing program, one of the testers (Paul Tharun) identified Reverse Shell Vulnerability in our backend. With this release, we successfully fixed the Reverse Shell Vulnerability and improved our infrastructure architecture to reduce the attacks happening from outside.
Singular User Profile
We have aggregated users’ Git profiles to a single Spheron profile. Users can signup with any git provider, if the primary email of your git account is the same, you will be login into the same account that contains all your projects. Users can even attach other accounts from the dashboard and log in with the same account to access the dashboard. This also simplifies the aggregation of all the git continuous deployment.
Domain got Environment
With this release, users can attach a deployment environment with a particular domain. Attaching a deployment environment to the domain will give users the flexibility to segregate their domains based on the environment of a project. That means, that if the deployment of a deployment environment is finished, the domain attached to the deployment environment will get updated with the new deployment link.
Variable got Environment
With this release, users can attach a deployment environment with a particular build environment variable. Attaching an environment to a variable will give users the flexibility to use variables only for a particular environment. For e.g., if users have different environment variables for the development and production environment, they can put 2 different values for the same variable key connected with different deployment environments.
Import Environment
User can now directly import their environment variable from a file. The specification of the file is mentioned in the doc. Users have to create a JSON file that will look like this
1[
2 {
3 "name": "Key5", // name of the key
4 "value": "B" // value of env variable
5 "environments": ["Development"] // environments you need to attach to the variable
6 },
7 {
8 "name": "Key8",
9 "value": "a"
10 },
11 {
12 "name": "Key5",
13 "value": "test",
14 "environments": ["Production"]
15 },
16 {
17 "name": "Key10",
18 "value": "base",
19 "environments": ["Production", "Development"]
20 }
21]
Users just have to specify name, value, and environments in a file and import them from the dashboard. This will reduce the time to incorporate all the environment variables required in the project one by one.
Arbitrum Integration
We have introduced the Arbitrum chain for subscription payments. Users can now use tokens in the Arbitrum chain to pay their subscription. We have allowed 4 tokens
- USDT, USDC, DAI, and WETH on the arbitrum chain to start with. All the user flow is the same as polygon but you will be able to connect your metamask and select Arbitrum chain to upgrade to pro and buy bonuses. You can also view your allowances and the balance of selected tokens in the arbitrum chain. We have also improved the invoice UI to show networks used to pay subscriptions and bonuses each month.
Fixes 🛠
We've shipped some bug fixes from your feedback to improve your product experience.
Here are some of the recent ones.
- Build Environment: Scope of the build environment is increased to the install dependency phase.
- Remove Member Constraint: We have improved the constraint on removing a member based on the roles in the organization. We also fixed the bug found during the beta testing program - Users are able to remove themselves from the organization.
- Ignore Depandabot Branch: As per the experience of some of our beta users, we have decided to ignore continuous deployment on depandabot-based branches to reduce the redundant usage of build time of an organization. The depandabot branches are not getting attached automatically to the development environment.
- We have restricted the use of one NFT for accessing only one account.
- Publish Directory Validation: We have added validation on publish directory to make sure users can’t access anything outside the root directory of their project.
- Domain Name Validation: We have added validation on centralized domains & subdomains and ENS domains. User can only add domains if it passes the validation.
- We have added a warning in the deployment logs to remind users to add a relative path fix for hash-based deployment.
- Users can now access environment variables in the install dependency phase.
- Invoice Improvements: We have fixed the decimal points for showing the price feed of tokens and made some small fixes.
- IPFS Pinning Issue: Deployment on IPFS was not getting pinned on Filecoin or Pinata.
Mitrasish Mukherjee
Cofounder & Product Lead
- •Provider
- •Fizz Node
- •Console
- •CLI
- •Media Kit
- •Changelog
- •Join Community
- •Blog
- •Youtube
- •Linkedin
- •Discord
- •X