akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity

fix(security): resolve API key logging vulnerability and enhance import validation

Browse Source 
Critical security fix addressing CWE-312/315/359 (Cleartext Storage/Cookie
Storage/Privacy Exposure) where CrowdSec bouncer API keys were logged in cleartext.
Implemented maskAPIKey() utility to show only first 4 and last 4 characters,
protecting sensitive credentials in production logs.

Enhanced CrowdSec configuration import validation with:
- Zip bomb protection via 100x compression ratio limit
- Format validation rejecting zip archives (only tar.gz allowed)
- CrowdSec-specific YAML structure validation
- Rollback mechanism on validation failures

UX improvement: moved CrowdSec API key display from Security Dashboard to
CrowdSec Config page for better logical organization.

Comprehensive E2E test coverage:
- Created 10 test scenarios including valid import, missing files, invalid YAML,
  zip bombs, wrong formats, and corrupted archives
- 87/108 E2E tests passing (81% pass rate, 0 regressions)

Security validation:
- CodeQL: 0 CWE-312/315/359 findings (vulnerability fully resolved)
- Docker Image: 7 HIGH base image CVEs documented (non-blocking, Debian upstream)
- Pre-commit hooks: 13/13 passing (fixed 23 total linting issues)

Backend coverage: 82.2% (+1.1%)
Frontend coverage: 84.19% (+0.3%)
This commit is contained in:
GitHub Actions
2026-02-04 00:12:13 +00:00
parent c9965bb45b
commit 93894c517b
19 changed files with 4971 additions and 1384 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
README.md
View File

@@ -562,7 +562,21 @@ docker restart charon
- Use HTTPS when calling emergency endpoint (HTTP leaks token)
- Monitor audit logs for emergency token usage
**📍 Management Network Configuration:**
**<EFBFBD> API Key & Credential Management:**
- **Never log sensitive credentials**: Charon automatically masks API keys in logs (e.g., `abcd...xyz9`)
- **Secure storage**: CrowdSec API keys stored with 0600 permissions (owner read/write only)
- **No HTTP exposure**: API keys never returned in API responses
- **No cookie storage**: Keys never stored in browser cookies
- **Regular rotation**: Rotate CrowdSec bouncer keys every 90 days (recommended)
- **Environment variables**: Use `CHARON_SECURITY_CROWDSEC_API_KEY` for production deployments
- **Compliance**: Implementation addresses CWE-312, CWE-315, CWE-359 (GDPR, PCI-DSS, SOC 2)
For detailed security practices, see:
- 📘 [API Key Handling Guide](docs/security/api-key-handling.md)
- 🛡️ [Security Best Practices](docs/SECURITY_PRACTICES.md)
**<2A>📍 Management Network Configuration:**
```yaml
# Restrict emergency access to trusted networks only