C152 SECURITY FIXES
Cycle C-152: Security Fixes Summary¶
Date: 2025-01-27¶
Status: In Progress¶
Critical Issues Fixed ✅¶
1. Server-Side Request Forgery (SSRF) - #1172, #1171¶
Files Fixed: - apps/broker-api/src/services/webhook.ts (line 237) - packages/oaa-api-library/src/sentinel/fetcher.ts (line 121)
Fix Applied: - Reconstructed URLs from validated components instead of converting URL object to string - Ensures only validated protocol, hostname, port, and pathname are used - Prevents URL object mutation attacks - Maintains existing validation (allowlist, DNS rebinding protection, private IP checks)
Before:
const sanitizedUrlString = safeUrl.toString();
const response = await fetch(sanitizedUrlString, {...});
After:
// Reconstruct URL from validated components
const validatedProtocol = safeUrl.protocol; // Already validated as 'https:'
const validatedHostname = safeUrl.hostname; // Already validated against allowlist
const validatedPort = safeUrl.port || '443'; // Already validated
const validatedPathname = safeUrl.pathname; // Already validated (no path traversal)
const safeUrlString = `${validatedProtocol}//${validatedHostname}${validatedPort !== '443' ? `:${validatedPort}` : ''}${validatedPathname}${validatedSearch}`;
const response = await fetch(safeUrlString, {...});
High Severity Issues Fixed ✅¶
3. Remote Property Injection - #1145, #1144, #1143¶
Files Fixed: - apps/broker-api/src/services/energy/telemetryService.ts (lines 219, 413, 414)
Fix Applied: - Added validatePropertyName() function to prevent prototype pollution - Validates property names before using them as object keys - Rejects dangerous property names like __proto__, constructor, prototype - Sanitizes property names to remove non-alphanumeric characters
Before:
sourceBreakdown[node.source] = { count: 0, capacityMwh: 0, outputMw: 0 };
regionBreakdown[node.region] = (regionBreakdown[node.region] ?? 0) + 1;
After:
const safeSource = validatePropertyName(node.source);
const safeRegion = validatePropertyName(node.region);
sourceBreakdown[safeSource] = { count: 0, capacityMwh: 0, outputMw: 0 };
regionBreakdown[safeRegion] = (regionBreakdown[safeRegion] ?? 0) + 1;
High Severity Issues - Remaining¶
Categories of Remaining Issues:¶
- Missing Rate Limiting (High)
- Multiple files flagged
- Status:
apps/broker-apialready has rate limiting implemented -
Action: Review other flagged files and add rate limiting where missing
-
Path Traversal (High)
- Multiple Python files in
apps/eomm-apiandlabs/lab4-proof - Files:
app/storage.py,app/main.py,app/hash_helpers.py,app/archive_endpoint.py -
Action: Add path sanitization using
os.path.normpath()and validate against base directory -
Log Injection (High/Medium)
- Multiple files logging user-controlled data
-
Action: Sanitize log inputs, use structured logging
-
Insecure Randomness (High)
- Mostly in build artifacts (
chunks/*.js) -
Action: These are build outputs, need to fix source code
-
Incomplete String Escaping (High)
- Build artifacts and some source files
-
Action: Review source code, fix escaping in templates
-
Remote Property Injection (High)
- Files:
apps/broker-api/src/services/energy/telemetryService.ts -
Action: Validate and sanitize property names before use
-
User-Controlled Bypass of Security Check (High)
- Files:
services/civic-ledger/src/routes/attest.ts,services/civic-ledger/src/attest/verify.ts -
Action: Review security check logic, ensure user input doesn't bypass validation
-
Overly Permissive File Permissions (High)
- Files:
scripts/generate_agent_keypairs.sh,labs/lab7-proof/.civic/setup-civic-system.py - Action: Set appropriate file permissions (e.g., 0600 for private keys)
Next Steps¶
- ✅ Critical SSRF fixes - COMPLETED
- ⏳ Path traversal fixes - Review Python files, add sanitization
- ⏳ Rate limiting - Verify all API endpoints have rate limiting
- ⏳ Log injection - Add input sanitization for logging
- ⏳ File permissions - Fix overly permissive permissions
- ⏳ Property injection - Validate property names in telemetry service
Notes¶
- Many issues are in build artifacts (chunks/*.js) which are generated files
- Need to fix source code that generates these artifacts
- Python path traversal issues need careful review to maintain functionality
- Rate limiting should be added to all public-facing endpoints
"We heal as we walk." — Mobius Systems