Skip to content

C152 SECURITY FIXES

Cycle C-152: Security Fixes Summary

Date: 2025-01-27

Status: In Progress


Critical Issues Fixed ✅

1. Server-Side Request Forgery (SSRF) - #1172, #1171

Files Fixed: - apps/broker-api/src/services/webhook.ts (line 237) - packages/oaa-api-library/src/sentinel/fetcher.ts (line 121)

Fix Applied: - Reconstructed URLs from validated components instead of converting URL object to string - Ensures only validated protocol, hostname, port, and pathname are used - Prevents URL object mutation attacks - Maintains existing validation (allowlist, DNS rebinding protection, private IP checks)

Before:

const sanitizedUrlString = safeUrl.toString();
const response = await fetch(sanitizedUrlString, {...});

After:

// Reconstruct URL from validated components
const validatedProtocol = safeUrl.protocol; // Already validated as 'https:'
const validatedHostname = safeUrl.hostname; // Already validated against allowlist
const validatedPort = safeUrl.port || '443'; // Already validated
const validatedPathname = safeUrl.pathname; // Already validated (no path traversal)
const safeUrlString = `${validatedProtocol}//${validatedHostname}${validatedPort !== '443' ? `:${validatedPort}` : ''}${validatedPathname}${validatedSearch}`;
const response = await fetch(safeUrlString, {...});


High Severity Issues Fixed ✅

3. Remote Property Injection - #1145, #1144, #1143

Files Fixed: - apps/broker-api/src/services/energy/telemetryService.ts (lines 219, 413, 414)

Fix Applied: - Added validatePropertyName() function to prevent prototype pollution - Validates property names before using them as object keys - Rejects dangerous property names like __proto__, constructor, prototype - Sanitizes property names to remove non-alphanumeric characters

Before:

sourceBreakdown[node.source] = { count: 0, capacityMwh: 0, outputMw: 0 };
regionBreakdown[node.region] = (regionBreakdown[node.region] ?? 0) + 1;

After:

const safeSource = validatePropertyName(node.source);
const safeRegion = validatePropertyName(node.region);
sourceBreakdown[safeSource] = { count: 0, capacityMwh: 0, outputMw: 0 };
regionBreakdown[safeRegion] = (regionBreakdown[safeRegion] ?? 0) + 1;


High Severity Issues - Remaining

Categories of Remaining Issues:

  1. Missing Rate Limiting (High)
  2. Multiple files flagged
  3. Status: apps/broker-api already has rate limiting implemented
  4. Action: Review other flagged files and add rate limiting where missing

  5. Path Traversal (High)

  6. Multiple Python files in apps/eomm-api and labs/lab4-proof
  7. Files: app/storage.py, app/main.py, app/hash_helpers.py, app/archive_endpoint.py
  8. Action: Add path sanitization using os.path.normpath() and validate against base directory

  9. Log Injection (High/Medium)

  10. Multiple files logging user-controlled data
  11. Action: Sanitize log inputs, use structured logging

  12. Insecure Randomness (High)

  13. Mostly in build artifacts (chunks/*.js)
  14. Action: These are build outputs, need to fix source code

  15. Incomplete String Escaping (High)

  16. Build artifacts and some source files
  17. Action: Review source code, fix escaping in templates

  18. Remote Property Injection (High)

  19. Files: apps/broker-api/src/services/energy/telemetryService.ts
  20. Action: Validate and sanitize property names before use

  21. User-Controlled Bypass of Security Check (High)

  22. Files: services/civic-ledger/src/routes/attest.ts, services/civic-ledger/src/attest/verify.ts
  23. Action: Review security check logic, ensure user input doesn't bypass validation

  24. Overly Permissive File Permissions (High)

  25. Files: scripts/generate_agent_keypairs.sh, labs/lab7-proof/.civic/setup-civic-system.py
  26. Action: Set appropriate file permissions (e.g., 0600 for private keys)

Next Steps

  1. Critical SSRF fixes - COMPLETED
  2. Path traversal fixes - Review Python files, add sanitization
  3. Rate limiting - Verify all API endpoints have rate limiting
  4. Log injection - Add input sanitization for logging
  5. File permissions - Fix overly permissive permissions
  6. Property injection - Validate property names in telemetry service

Notes

  • Many issues are in build artifacts (chunks/*.js) which are generated files
  • Need to fix source code that generates these artifacts
  • Python path traversal issues need careful review to maintain functionality
  • Rate limiting should be added to all public-facing endpoints

"We heal as we walk." — Mobius Systems