vikingowl
5821547a73
Implements the remediation pass described in planning/19-security-audit-2026-04-30.md. All Critical findings and the Wave 1-4 High findings are closed; PoC tests added; full backend test suite green; helm chart lints clean. Wave 1 - Auth & identity - C1 OAuth state nonce: PutOAuthState / ConsumeOAuthState (valkey, GETDEL single-use, 15min TTL); Callback rejects missing/forged/cross- provider state before token exchange. - C2 OAuth identity linking: refuse silent linking to existing user unless info.EmailVerified is true. fetchGitHubUser now consults the /user/emails endpoint for the verified flag (no more hardcoded true); fetchFacebookUser sets EmailVerified=false (FB exposes no per-email verification flag). - H1 Magic-link verify: replaced Get + MarkUsed with a single atomic UPDATE...RETURNING (ConsumeMagicLink) - TOCTOU-free. - H2 TOTP code replay: MarkTOTPCodeConsumed (valkey SET NX, 120s TTL) prevents replay of a successfully validated code; fails closed on transient store errors. - H3 Backup-code orphan: DisableTOTP now also wipes totp_backup_codes. Wave 2 - Middleware & network - C3 CORS/CSRF regex anchoring: NewCORSConfig wraps each pattern with \A...\z so substring spoofing of origins is impossible. - H4 ClientIP: server reads APP_TRUSTED_PROXIES; gin SetTrustedProxies is called explicitly (empty default = no proxy trust). - H11 Body limit + DisallowUnknownFields: BodyLimitBytes middleware (1 MiB default) wraps every request; validate.BindJSON now uses a json.Decoder with DisallowUnknownFields and rejects trailing tokens; 413 envelope on body-limit overflow. - H16 NetworkPolicy: backend.networkPolicy.enabled defaults to true; new web-networkpolicy.yaml restricts web pod ingress to nginx-gateway and egress to backend service + DNS + 443. Wave 3 - Encryption at rest - C4 TOTP secrets: CreateTOTPSecret writes encrypted secret_v2; GetTOTPSecret prefers v2 with legacy fallback. - C5 OAuth tokens: migration 000033 adds *_v2 columns; CreateOAuthAccount and UpdateOAuthTokens write encrypted; GetOAuthAccount reads v2 with legacy fallback. - M1 Domain separation: crypto.DeriveKeyFor(secret, purpose) replaces single-purpose DeriveKey; settings, totp, oauth each use a distinct HKDF-derived subkey. DeriveKey kept as back-compat alias for settings. Wave 4 - Input & AI safety - C6 SSRF: new pkg/safehttp refuses to dial RFC1918, loopback, link- local, ULA, multicast, unspecified, or cloud-metadata IPs; scheme allowlist (http/https). Wired into pkg/scrape, discovery LinkChecker, and imageURLReachable. NewForTesting opt-in for httptest. - H13 PromptGuard German + Unicode: NFKC + Cf-class strip pre-pass closes zero-width and full-width-homoglyph bypasses; new German rules for ignoriere/missachte/vergiss/role-escalation/prompt-exfil/verbatim; Gemma-style and pipe-delimited chat-template tokens covered; source-fence rule prevents '=== Quelle:' splice in scraped text. - H14 BudgetGate: new ai.BudgetGate interface; UsageRepo.CheckBudget reads today's SUM(estimated_cost_usd) (10s cache) and refuses calls when AI_DAILY_CAP_USD is exceeded; GeminiProvider.Chat checks the gate before contacting Gemini. OAuth routes remain disabled in server/routes.go, so C1/C2 are not actively reachable today; fixes ensure correctness when re-enabled.
109 lines
3.3 KiB
Go
109 lines
3.3 KiB
Go
package validate_test
|
|
|
|
import (
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/gin-gonic/gin"
|
|
|
|
"marktvogt.de/backend/internal/middleware"
|
|
"marktvogt.de/backend/internal/pkg/apierror"
|
|
"marktvogt.de/backend/internal/pkg/validate"
|
|
)
|
|
|
|
func init() {
|
|
gin.SetMode(gin.TestMode)
|
|
}
|
|
|
|
type bindReq struct {
|
|
Name string `json:"name" validate:"required,max=64"`
|
|
}
|
|
|
|
// PoC for audit H11: unknown JSON fields are rejected. Pre-fix, gin's
|
|
// ShouldBindJSON silently dropped them — letting an attacker probe for hidden
|
|
// admin flags or send oversized payloads with junk keys.
|
|
func TestBindJSON_H11_RejectsUnknownFields(t *testing.T) {
|
|
t.Parallel()
|
|
r := gin.New()
|
|
r.POST("/p", func(c *gin.Context) {
|
|
var in bindReq
|
|
if apiErr := validate.BindJSON(c, &in); apiErr != nil {
|
|
c.AbortWithStatusJSON(apiErr.Status, apierror.NewResponse(apiErr))
|
|
return
|
|
}
|
|
c.Status(http.StatusOK)
|
|
})
|
|
|
|
w := httptest.NewRecorder()
|
|
r.ServeHTTP(w, httptest.NewRequest(http.MethodPost, "/p", strings.NewReader(`{"name":"ok","secretAdminFlag":true}`)))
|
|
if w.Code != http.StatusBadRequest {
|
|
t.Fatalf("unknown field must be rejected: status=%d body=%s", w.Code, w.Body.String())
|
|
}
|
|
}
|
|
|
|
// PoC for audit H11: trailing garbage after a valid JSON object is rejected.
|
|
// `{"a":1}{"b":2}` must not silently parse as the first object.
|
|
func TestBindJSON_H11_RejectsTrailingTokens(t *testing.T) {
|
|
t.Parallel()
|
|
r := gin.New()
|
|
r.POST("/p", func(c *gin.Context) {
|
|
var in bindReq
|
|
if apiErr := validate.BindJSON(c, &in); apiErr != nil {
|
|
c.AbortWithStatusJSON(apiErr.Status, apierror.NewResponse(apiErr))
|
|
return
|
|
}
|
|
c.Status(http.StatusOK)
|
|
})
|
|
|
|
w := httptest.NewRecorder()
|
|
r.ServeHTTP(w, httptest.NewRequest(http.MethodPost, "/p", strings.NewReader(`{"name":"ok"}{"name":"smuggled"}`)))
|
|
if w.Code != http.StatusBadRequest {
|
|
t.Fatalf("trailing token must be rejected: status=%d body=%s", w.Code, w.Body.String())
|
|
}
|
|
}
|
|
|
|
// PoC for audit H11 wired through middleware: an oversized body returns 413
|
|
// with the canonical apierror shape.
|
|
func TestBindJSON_H11_BodyLimit413(t *testing.T) {
|
|
t.Parallel()
|
|
r := gin.New()
|
|
r.Use(middleware.BodyLimitBytes(32))
|
|
r.POST("/p", func(c *gin.Context) {
|
|
var in bindReq
|
|
if apiErr := validate.BindJSON(c, &in); apiErr != nil {
|
|
c.AbortWithStatusJSON(apiErr.Status, apierror.NewResponse(apiErr))
|
|
return
|
|
}
|
|
c.Status(http.StatusOK)
|
|
})
|
|
|
|
body := `{"name":"` + strings.Repeat("A", 1024) + `"}`
|
|
w := httptest.NewRecorder()
|
|
r.ServeHTTP(w, httptest.NewRequest(http.MethodPost, "/p", strings.NewReader(body)))
|
|
if w.Code != http.StatusRequestEntityTooLarge {
|
|
t.Fatalf("oversized body: want 413, got %d body=%s", w.Code, w.Body.String())
|
|
}
|
|
}
|
|
|
|
// PoC for audit H11: requests with a valid small body still pass through cleanly.
|
|
func TestBindJSON_H11_HappyPath(t *testing.T) {
|
|
t.Parallel()
|
|
r := gin.New()
|
|
r.Use(middleware.BodyLimitBytes(1 << 20))
|
|
r.POST("/p", func(c *gin.Context) {
|
|
var in bindReq
|
|
if apiErr := validate.BindJSON(c, &in); apiErr != nil {
|
|
c.AbortWithStatusJSON(apiErr.Status, apierror.NewResponse(apiErr))
|
|
return
|
|
}
|
|
c.Status(http.StatusOK)
|
|
})
|
|
w := httptest.NewRecorder()
|
|
r.ServeHTTP(w, httptest.NewRequest(http.MethodPost, "/p", strings.NewReader(`{"name":"alice"}`)))
|
|
if w.Code != http.StatusOK {
|
|
t.Fatalf("happy path: want 200, got %d body=%s", w.Code, w.Body.String())
|
|
}
|
|
}
|