vikingowl/marktvogt.de
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
marktvogt.de/backend/internal/pkg/crypto/wave3_security_test.go
vikingowl 5821547a73 feat(security): close audit waves 1-4 (C1-C6, H1, H2, H4, H11, H13, H14, H16) 
Implements the remediation pass described in
planning/19-security-audit-2026-04-30.md. All Critical findings and the
Wave 1-4 High findings are closed; PoC tests added; full backend test
suite green; helm chart lints clean.

Wave 1 - Auth & identity
- C1 OAuth state nonce: PutOAuthState / ConsumeOAuthState (valkey,
  GETDEL single-use, 15min TTL); Callback rejects missing/forged/cross-
  provider state before token exchange.
- C2 OAuth identity linking: refuse silent linking to existing user
  unless info.EmailVerified is true. fetchGitHubUser now consults the
  /user/emails endpoint for the verified flag (no more hardcoded true);
  fetchFacebookUser sets EmailVerified=false (FB exposes no per-email
  verification flag).
- H1 Magic-link verify: replaced Get + MarkUsed with a single atomic
  UPDATE...RETURNING (ConsumeMagicLink) - TOCTOU-free.
- H2 TOTP code replay: MarkTOTPCodeConsumed (valkey SET NX, 120s TTL)
  prevents replay of a successfully validated code; fails closed on
  transient store errors.
- H3 Backup-code orphan: DisableTOTP now also wipes totp_backup_codes.

Wave 2 - Middleware & network
- C3 CORS/CSRF regex anchoring: NewCORSConfig wraps each pattern with
  \A...\z so substring spoofing of origins is impossible.
- H4 ClientIP: server reads APP_TRUSTED_PROXIES; gin SetTrustedProxies
  is called explicitly (empty default = no proxy trust).
- H11 Body limit + DisallowUnknownFields: BodyLimitBytes middleware
  (1 MiB default) wraps every request; validate.BindJSON now uses a
  json.Decoder with DisallowUnknownFields and rejects trailing tokens;
  413 envelope on body-limit overflow.
- H16 NetworkPolicy: backend.networkPolicy.enabled defaults to true;
  new web-networkpolicy.yaml restricts web pod ingress to nginx-gateway
  and egress to backend service + DNS + 443.

Wave 3 - Encryption at rest
- C4 TOTP secrets: CreateTOTPSecret writes encrypted secret_v2;
  GetTOTPSecret prefers v2 with legacy fallback.
- C5 OAuth tokens: migration 000033 adds *_v2 columns; CreateOAuthAccount
  and UpdateOAuthTokens write encrypted; GetOAuthAccount reads v2 with
  legacy fallback.
- M1 Domain separation: crypto.DeriveKeyFor(secret, purpose) replaces
  single-purpose DeriveKey; settings, totp, oauth each use a distinct
  HKDF-derived subkey. DeriveKey kept as back-compat alias for settings.

Wave 4 - Input & AI safety
- C6 SSRF: new pkg/safehttp refuses to dial RFC1918, loopback, link-
  local, ULA, multicast, unspecified, or cloud-metadata IPs; scheme
  allowlist (http/https). Wired into pkg/scrape, discovery LinkChecker,
  and imageURLReachable. NewForTesting opt-in for httptest.
- H13 PromptGuard German + Unicode: NFKC + Cf-class strip pre-pass
  closes zero-width and full-width-homoglyph bypasses; new German rules
  for ignoriere/missachte/vergiss/role-escalation/prompt-exfil/verbatim;
  Gemma-style and pipe-delimited chat-template tokens covered;
  source-fence rule prevents '=== Quelle:' splice in scraped text.
- H14 BudgetGate: new ai.BudgetGate interface; UsageRepo.CheckBudget
  reads today's SUM(estimated_cost_usd) (10s cache) and refuses calls
  when AI_DAILY_CAP_USD is exceeded; GeminiProvider.Chat checks the
  gate before contacting Gemini.

OAuth routes remain disabled in server/routes.go, so C1/C2 are not
actively reachable today; fixes ensure correctness when re-enabled.
2026-04-30 23:41:48 +02:00

76 lines
2.3 KiB
Go
Raw Permalink Blame History

package crypto_test
import (
"bytes"
"testing"
"marktvogt.de/backend/internal/pkg/crypto"
)
// PoC for audit M1: subkeys for distinct purposes must NOT collide. A leak of
// the settings subkey must not let an attacker decrypt TOTP-sealed data.
func TestDeriveKeyFor_M1_DomainSeparation(t *testing.T) {
t.Parallel()
master := []byte("an-application-master-secret-thats-long-enough")
settingsKey, err := crypto.DeriveKeyFor(master, "settings:v1")
if err != nil {
t.Fatalf("derive settings: %v", err)
}
totpKey, err := crypto.DeriveKeyFor(master, "totp:v1")
if err != nil {
t.Fatalf("derive totp: %v", err)
}
oauthKey, err := crypto.DeriveKeyFor(master, "oauth:v1")
if err != nil {
t.Fatalf("derive oauth: %v", err)
}
if bytes.Equal(settingsKey[:], totpKey[:]) || bytes.Equal(settingsKey[:], oauthKey[:]) || bytes.Equal(totpKey[:], oauthKey[:]) {
t.Fatalf("subkeys must differ pairwise — settings=%x totp=%x oauth=%x", settingsKey, totpKey, oauthKey)
}
plaintext := []byte("user-totp-seed")
ct, err := crypto.Seal(totpKey, plaintext)
if err != nil {
t.Fatalf("seal: %v", err)
}
// A different subkey MUST NOT open the ciphertext (cryptographic separation).
if _, err := crypto.Open(settingsKey, ct); err == nil {
t.Fatalf("settings key must not open totp ciphertext — domain separation broken")
}
if _, err := crypto.Open(oauthKey, ct); err == nil {
t.Fatalf("oauth key must not open totp ciphertext — domain separation broken")
}
// Round trip with the matching subkey works.
got, err := crypto.Open(totpKey, ct)
if err != nil {
t.Fatalf("open with matching key: %v", err)
}
if !bytes.Equal(got, plaintext) {
t.Fatalf("plaintext mismatch: want %q got %q", plaintext, got)
}
}
// Backwards compat: DeriveKey (legacy settings derivation) must keep producing
// the same key used by existing settings-store ciphertext.
func TestDeriveKey_BackwardsCompat(t *testing.T) {
t.Parallel()
master := []byte("legacy-master-secret")
legacyKey, err := crypto.DeriveKey(master)
if err != nil {
t.Fatalf("DeriveKey: %v", err)
}
settingsKey, err := crypto.DeriveKeyFor(master, "settings:v1")
if err != nil {
t.Fatalf("DeriveKeyFor: %v", err)
}
if !bytes.Equal(legacyKey[:], settingsKey[:]) {
t.Fatalf("DeriveKey must equal DeriveKeyFor(settings:v1) — settings rows would otherwise be unreadable after upgrade")
}
}
Reference in New Issue View Git Blame Copy Permalink