v1.7.0 #318

2025-10-01T20:32:54Z

LukeGus commented

2025-10-01 20:32:54 +00:00

(Migrated from github.com)

Improves encryption, overhauled the file manager, better credential system, fixed various bugs, and automated SSL generation

Update Log:

Completely overhauled the file manager. It is now similar to that of Windows Explorer. You can manage files directly on remote servers with support for viewing and editing code, images, audio, and video. You can also upload, download, rename, delete, and move files seamlessly.
Added SSH certificate generation within the credential manager. You can also deploy the SSH certificates to the server automatically.
Improved database security by locking out user data after inactivity and storing it with AES-256 encryption.
Added ability to import/export your DB to other instances of Termix
Improved SSH tunnel reliability
Added versioning system to Electron desktop builds
Generate SSL certificates within Termix via .env variables. See docs.
Moved backend ports to the 30000 range so that you can use ports 8081-8085 for the frontend. This does not affect existing Termix setups.

Bug Fixes:

Issue Termix-SSH/Support#178 (fixed macOS symbols)
Issue Termix-SSH/Termix#227 (added symlink support)
Improved error handling when Termix cannot connect to the DB

Improves encryption, overhauled the file manager, better credential system, fixed various bugs, and automated SSL generation Update Log: - Completely overhauled the file manager. It is now similar to that of Windows Explorer. You can manage files directly on remote servers with support for viewing and editing code, images, audio, and video. You can also upload, download, rename, delete, and move files seamlessly. - Added SSH certificate generation within the credential manager. You can also deploy the SSH certificates to the server automatically. - Improved database security by locking out user data after inactivity and storing it with AES-256 encryption. - Added ability to import/export your DB to other instances of Termix - Improved SSH tunnel reliability - Added versioning system to Electron desktop builds - Generate SSL certificates within Termix via `.env` variables. See [docs](https://docs.termix.site/ssl). - Moved backend ports to the `30000` range so that you can use ports `8081-8085` for the frontend. This does not affect existing Termix setups. Bug Fixes: - Issue Termix-SSH/Support#178 (fixed macOS symbols) - Issue Termix-SSH/Termix#227 (added symlink support) - Improved error handling when Termix cannot connect to the DB

ZacharyZcR (Migrated from github.com) reviewed 2025-10-01 20:32:54 +00:00

gemini-code-assist[bot] commented

2025-10-01 20:35:27 +00:00

(Migrated from github.com)

Summary of Changes

Hello @LukeGus, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces Termix 1.7.0, a significant update focusing on bolstering security, expanding file management capabilities, and streamlining deployment. Key changes include a complete overhaul of the remote file manager, advanced SSH credential management with key generation and deployment, and robust database encryption with data import/export features. The update also brings automated SSL certificate generation, optimized Docker and Electron builds, and a reconfigured backend port range for better compatibility. These enhancements aim to provide a more secure, feature-rich, and user-friendly server management experience.

Highlights

File Manager Overhaul: The file manager has been completely redesigned to mimic Windows Explorer, offering advanced capabilities like viewing and editing various file types (code, images, audio, video), and seamless file operations (upload, download, rename, delete, move) directly on remote servers.
Enhanced Credential System: The credential manager now supports SSH certificate generation, allowing users to create and automatically deploy SSH certificates to servers, alongside improved handling of SSH keys including private and public key fields.
Improved Database Security: Database security has been significantly upgraded with user data encryption using AES-256, inactivity-based data lockout, and a new migration system for existing unencrypted data. Data export/import functionality is also introduced.
Automated SSL Generation: Termix now includes automated SSL certificate generation and management via .env variables, simplifying HTTPS setup for self-hosted instances.
Docker and Electron Build Enhancements: Docker builds are optimized with a smaller base image, apt-get for dependencies, and font file pruning. Electron desktop builds now include a versioning system and improved server connection testing.
Backend Port Reconfiguration: Backend API ports have been moved to the 30000 range to avoid conflicts with common frontend development ports, ensuring smoother integration.
Bug Fixes and Reliability: Various bugs have been addressed, including fixes for macOS symbols (Issue Termix-SSH/Support#178), added symlink support (Issue Termix-SSH/Termix#227), and improved error handling for database connection issues. SSH tunnel reliability has also been enhanced.

Ignored Files

Ignored by pattern: .github/workflows/** (2)
- .github/workflows/docker-image.yml
- .github/workflows/electron-build.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	`/gemini review`	Performs a code review for the current pull request in its current state.
Pull Request Summary	`/gemini summary`	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	`/gemini help`	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩︎

## Summary of Changes Hello @LukeGus, I'm Gemini Code Assist[^1]! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request introduces Termix 1.7.0, a significant update focusing on bolstering security, expanding file management capabilities, and streamlining deployment. Key changes include a complete overhaul of the remote file manager, advanced SSH credential management with key generation and deployment, and robust database encryption with data import/export features. The update also brings automated SSL certificate generation, optimized Docker and Electron builds, and a reconfigured backend port range for better compatibility. These enhancements aim to provide a more secure, feature-rich, and user-friendly server management experience. ### Highlights * **File Manager Overhaul**: The file manager has been completely redesigned to mimic Windows Explorer, offering advanced capabilities like viewing and editing various file types (code, images, audio, video), and seamless file operations (upload, download, rename, delete, move) directly on remote servers. * **Enhanced Credential System**: The credential manager now supports SSH certificate generation, allowing users to create and automatically deploy SSH certificates to servers, alongside improved handling of SSH keys including private and public key fields. * **Improved Database Security**: Database security has been significantly upgraded with user data encryption using AES-256, inactivity-based data lockout, and a new migration system for existing unencrypted data. Data export/import functionality is also introduced. * **Automated SSL Generation**: Termix now includes automated SSL certificate generation and management via `.env` variables, simplifying HTTPS setup for self-hosted instances. * **Docker and Electron Build Enhancements**: Docker builds are optimized with a smaller base image, `apt-get` for dependencies, and font file pruning. Electron desktop builds now include a versioning system and improved server connection testing. * **Backend Port Reconfiguration**: Backend API ports have been moved to the `30000` range to avoid conflicts with common frontend development ports, ensuring smoother integration. * **Bug Fixes and Reliability**: Various bugs have been addressed, including fixes for macOS symbols (Issue Termix-SSH/Support#178), added symlink support (Issue Termix-SSH/Termix#227), and improved error handling for database connection issues. SSH tunnel reliability has also been enhanced. <details> <summary>Ignored Files</summary> * **Ignored by pattern:** `.github/workflows/**` (2) * .github/workflows/docker-image.yml * .github/workflows/electron-build.yml </details> <details> <summary>Using Gemini Code Assist</summary> The full guide for Gemini Code Assist can be found on our [documentation page](https://developers.google.com/gemini-code-assist/docs/review-github-code), here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either `/gemini <command>` or `@gemini-code-assist <command>`. Below is a summary of the supported commands on the current page. Feature | Command | Description --- | --- | --- Code Review | `/gemini review` | Performs a code review for the current pull request in its current state. Pull Request Summary | `/gemini summary` | Provides a summary of the current pull request in its current state. Comment | @gemini-code-assist | Responds in comments when explicitly tagged, both in pull request comments and review comments. Help | `/gemini help` | Displays a list of available commands. Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a `.gemini/` folder in the base of the repository. Detailed instructions can be found [here](https://developers.google.com/gemini-code-assist/docs/customize-gemini-behavior-github). Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with :thumbsup: and :thumbsdown: on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up [here](https://google.qualtrics.com/jfe/form/SV_2cyuGuTWsEw84yG). You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the [Gemini Code Assist IDE Extension](https://cloud.google.com/products/gemini/code-assist). </details> [^1]: Review the [Privacy Notices](https://policies.google.com/privacy), [Generative AI Prohibited Use Policy](https://policies.google.com/terms/generative-ai/use-policy), [Terms of Service](https://policies.google.com/terms), and learn how to configure Gemini Code Assist in GitHub [here](https://developers.google.com/gemini-code-assist/docs/customize-gemini-behavior-github). Gemini can make mistakes, so double check it and [use code with caution](https://support.google.com/legal/answer/13505487).

gemini-code-assist[bot] (Migrated from github.com) reviewed 2025-10-01 20:38:41 +00:00

gemini-code-assist[bot] (Migrated from github.com) left a comment

Code Review

This is a substantial pull request that introduces significant new features and major architectural improvements, particularly around security and data management. The overhaul of the file manager, the introduction of a comprehensive encryption-at-rest model for the database, and the automated SSL setup are all excellent additions. My review has identified a few critical and high-severity issues related to security in the Electron app, build reproducibility in the Dockerfile, and potential Denial of Service vulnerabilities due to overly permissive request size limits in the backend services. Addressing these points will greatly enhance the security and stability of the application.

## Code Review This is a substantial pull request that introduces significant new features and major architectural improvements, particularly around security and data management. The overhaul of the file manager, the introduction of a comprehensive encryption-at-rest model for the database, and the automated SSL setup are all excellent additions. My review has identified a few critical and high-severity issues related to security in the Electron app, build reproducibility in the Dockerfile, and potential Denial of Service vulnerabilities due to overly permissive request size limits in the backend services. Addressing these points will greatly enhance the security and stability of the application.

docker/Dockerfile

gemini-code-assist[bot] (Migrated from github.com) commented

2025-10-01 20:38:40 +00:00

This command removes package-lock.json and uses npm install --force, which undermines the principle of reproducible builds. Using npm ci is strongly recommended for Docker builds as it installs dependencies exactly as specified in package-lock.json, ensuring that the build is consistent and deterministic across all environments. If there are dependency conflicts, they should be resolved in package.json rather than being bypassed with --force.

RUN npm ci --ignore-scripts && \
    npm cache clean --force

![high](https://www.gstatic.com/codereviewagent/high-priority.svg) This command removes `package-lock.json` and uses `npm install --force`, which undermines the principle of reproducible builds. Using `npm ci` is strongly recommended for Docker builds as it installs dependencies exactly as specified in `package-lock.json`, ensuring that the build is consistent and deterministic across all environments. If there are dependency conflicts, they should be resolved in `package.json` rather than being bypassed with `--force`. ``` RUN npm ci --ignore-scripts && \ npm cache clean --force ```

electron/main.cjs

						
				@@ -4,1 +7,4 @@

				app.commandLine.appendSwitch("--ignore-ssl-errors");

				app.commandLine.appendSwitch("--ignore-certificate-errors-spki-list");

				app.commandLine.appendSwitch("--enable-features=NetworkService");

gemini-code-assist[bot] (Migrated from github.com) commented

2025-10-01 20:38:41 +00:00

Globally ignoring all certificate and SSL errors is a significant security risk. This makes the application vulnerable to Man-in-the-Middle (MITM) attacks, as it will trust any certificate, including malicious ones. While this might be intended for connecting to self-hosted instances with self-signed certificates, it should not be enabled by default for all connections. Consider making this a user-configurable setting that is disabled by default, and perhaps apply it more granularly only to user-defined server connections rather than globally.

![medium](https://www.gstatic.com/codereviewagent/medium-priority.svg) Globally ignoring all certificate and SSL errors is a significant security risk. This makes the application vulnerable to Man-in-the-Middle (MITM) attacks, as it will trust any certificate, including malicious ones. While this might be intended for connecting to self-hosted instances with self-signed certificates, it should not be enabled by default for all connections. Consider making this a user-configurable setting that is disabled by default, and perhaps apply it more granularly only to user-defined server connections rather than globally.

electron/main.cjs

						
				@@ -99,0 +189,4 @@

				        `GitHub API error: ${response.status} ${response.statusText}`,

				      );

				    }

gemini-code-assist[bot] (Migrated from github.com) commented

2025-10-01 20:38:40 +00:00

Disabling certificate validation (rejectUnauthorized: false) for requests to the GitHub API is a critical security vulnerability. The GitHub API uses a valid, trusted SSL certificate, so there is no need to bypass this check. This code exposes users to Man-in-the-Middle (MITM) attacks when checking for application updates, where an attacker could intercept the request and provide a malicious update package. The custom fetch implementation and its security-disabling options should be removed for API calls to trusted services like GitHub.

![critical](https://www.gstatic.com/codereviewagent/critical.svg) Disabling certificate validation (`rejectUnauthorized: false`) for requests to the GitHub API is a critical security vulnerability. The GitHub API uses a valid, trusted SSL certificate, so there is no need to bypass this check. This code exposes users to Man-in-the-Middle (MITM) attacks when checking for application updates, where an attacker could intercept the request and provide a malicious update package. The custom `fetch` implementation and its security-disabling options should be removed for API calls to trusted services like GitHub.

src/backend/database/database.ts

						
				@@ -203,3 +317,4 @@

				app.get("/releases/rss", authenticateJWT, async (req, res) => {

				  try {

				    const page = parseInt(req.query.page as string) || 1;

				    const per_page = Math.min(

gemini-code-assist[bot] (Migrated from github.com) commented

2025-10-01 20:38:40 +00:00

The request body size limits are set to extremely large values (1gb and 5gb). This exposes the server to potential Denial of Service (DoS) attacks, as a malicious actor could send very large requests to exhaust server memory and resources. It's recommended to set these limits to a more reasonable value based on expected use cases (e.g., the maximum size of a database import). Consider making this limit configurable via an environment variable with a safer default.

app.use(bodyParser.json({ limit: "100mb" }));
app.use(bodyParser.urlencoded({ limit: "100mb", extended: true }));
app.use(bodyParser.raw({ limit: "500mb", type: "application/octet-stream" }));

![high](https://www.gstatic.com/codereviewagent/high-priority.svg) The request body size limits are set to extremely large values (`1gb` and `5gb`). This exposes the server to potential Denial of Service (DoS) attacks, as a malicious actor could send very large requests to exhaust server memory and resources. It's recommended to set these limits to a more reasonable value based on expected use cases (e.g., the maximum size of a database import). Consider making this limit configurable via an environment variable with a safer default. ```suggestion app.use(bodyParser.json({ limit: "100mb" })); app.use(bodyParser.urlencoded({ limit: "100mb", extended: true })); app.use(bodyParser.raw({ limit: "500mb", type: "application/octet-stream" })); ```

src/backend/ssh/file-manager.ts

						
				@@ -69,0 +163,4 @@

				      sessionId,

				    });

				    return res.status(401).json({ error: "Authentication required" });

				  }

gemini-code-assist[bot] (Migrated from github.com) commented

2025-10-01 20:38:41 +00:00

The request body size limits are set to extremely large values (1gb and 5gb). This poses a significant Denial of Service (DoS) risk. The 5GB limit for raw streams is particularly concerning for file uploads, as it could allow an attacker to exhaust server memory. For large file uploads, it's better to use a streaming approach rather than buffering the entire file in memory. The limits should be reduced to safer defaults and ideally be configurable.

app.use(express.json({ limit: "100mb" }));
app.use(express.urlencoded({ limit: "100mb", extended: true }));
app.use(express.raw({ limit: "500mb", type: "application/octet-stream" }));

![high](https://www.gstatic.com/codereviewagent/high-priority.svg) The request body size limits are set to extremely large values (`1gb` and `5gb`). This poses a significant Denial of Service (DoS) risk. The 5GB limit for raw streams is particularly concerning for file uploads, as it could allow an attacker to exhaust server memory. For large file uploads, it's better to use a streaming approach rather than buffering the entire file in memory. The limits should be reduced to safer defaults and ideally be configurable. ```suggestion app.use(express.json({ limit: "100mb" })); app.use(express.urlencoded({ limit: "100mb", extended: true })); app.use(express.raw({ limit: "500mb", type: "application/octet-stream" })); ```

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: dennii/Termix#318