Skip to content

Releases: 1mb-dev/lobster

v2.0.0: Security Hardening & Performance

15 Jan 08:10
@vnykmshr vnykmshr
v2.0.0
e738abd

Choose a tag to compare

View all tags
v2.0.0: Security Hardening & Performance Latest
Latest

Major security hardening release with significant performance improvements.

Added

  • Environment variable substitution in config files: Use ${VAR_NAME} or ${VAR_NAME:-default} syntax to reference environment variables in JSON config files
  • Secure credential input: --auth-password-stdin and --auth-token-stdin flags for piping secrets safely
  • Environment variable auth support: LOBSTER_AUTH_PASSWORD, LOBSTER_AUTH_TOKEN, LOBSTER_AUTH_COOKIE environment variables
  • URL validation with SSRF protection: Blocks file://, ftp://, and private IP ranges by default
  • --allow-private-ips flag: Explicitly enable testing against internal/localhost URLs when needed
  • Response size validation: --max-response-size flag (default 10MB) prevents memory exhaustion from large responses
  • Dropped URL tracking: Warns when URLs are dropped due to queue overflow with actionable hints
  • Config and auth validation methods: Early detection of invalid configuration before test execution

Changed

  • Credential handling (breaking): Passwords, tokens, and cookies can no longer be passed via CLI flags. Use environment variables or stdin instead
  • Insecure TLS confirmation (breaking): --insecure-skip-verify now requires LOBSTER_INSECURE_TLS=true environment variable confirmation
  • HTTP connection pooling: Significantly improved throughput with proper http.Transport configuration
  • GetDiscoveredCount performance: Changed from O(n) to O(1) using atomic counters
  • Result channel buffering: Dynamic buffer sizing based on concurrency to prevent blocking under load
  • HTTP/2 enabled by default: ForceAttemptHTTP2: true for HTTPS connections
  • 429 retry timing: Response time now correctly reflects only the actual request duration, not retry wait time
  • CLI architecture: Extracted CLI functions into internal/cli package for improved testability and maintainability

Removed

  • --auth-password CLI flag: Use LOBSTER_AUTH_PASSWORD env var or --auth-password-stdin instead
  • --auth-token CLI flag: Use LOBSTER_AUTH_TOKEN env var or --auth-token-stdin instead
  • --auth-cookie CLI flag: Use LOBSTER_AUTH_COOKIE env var instead

Note: --auth-header flag remains available as header names are not secrets.

Fixed

  • Error message sanitization to prevent leaking internal infrastructure details (IPs, hostnames)
  • Robots.txt wildcard pattern matching now correctly handles * patterns per RFC specification
  • Username no longer logged in debug output (prevents enumeration)
  • Cookie and header validation now provides explicit error messages for malformed input
  • Mutual exclusivity check for --auth-password-stdin and --auth-token-stdin
  • Environment variable substitution properly distinguishes empty values from unset variables
  • EOF handling uses errors.Is(err, io.EOF) instead of string comparison

Security

  • Credentials no longer exposed in process list: Passwords and tokens removed from CLI flags
  • SSRF protection: Private IP ranges (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) blocked by default
  • URL scheme validation: Only http:// and https:// schemes permitted
  • Insecure TLS requires explicit consent: Two-factor confirmation (flag + env var) for skipping TLS verification
  • Response size limits: Prevents memory exhaustion from malicious large responses
  • Error message sanitization: Internal infrastructure details redacted from user-facing output

Migration Guide

See the full CHANGELOG for detailed migration instructions.

Full Changelog: v1.0.0...v2.0.0

Assets 2
Loading

v1.0.0 - Production Ready

26 Oct 01:04
@vnykmshr vnykmshr
v1.0.0
d9967d7

Choose a tag to compare

View all tags
v1.0.0 - Production Ready

Lobster v1.0.0 - Production Ready 🎉

First stable release of Lobster - Intelligent Web Stress Testing Tool

What is Lobster?

Lobster is a zero-config web stress testing tool that automatically discovers URLs by crawling your application and validates performance under load. Point it at your app, and it handles the rest.

Highlights

Production-ready stress testing engine with automatic URL discovery
Comprehensive test suite with 83.5%+ coverage in critical packages
Clean, accurate documentation with zero bloat
Build-time version injection via git tags
Performance validation with pass/fail criteria
Rich reporting: HTML (interactive charts), JSON (API), console (real-time)

Installation

```bash
go install github.com/vnykmshr/lobster/cmd/lobster@v1.0.0
```

Or clone and build:

```bash
git clone https://github.com/vnykmshr/lobster.git
cd lobster
make build
```

Quick Start

```bash
lobster -url http://localhost:3000
```

Test Coverage

  • tester: 83.5%
  • validator: 92.5%
  • config: 95.5%
  • crawler: 94.9%
  • reporter: 94.1%
  • domain: 100%

Documentation

What Changed Since v0.1.0

See the CHANGELOG for detailed changes.

Full Changelog: v0.1.0...v1.0.0

Loading