Charon

akanealw/Charon

Fork 0

Commit Graph

Author	SHA1	Message	Date
GitHub Actions	c9d9c52657	fix(security): eliminate SSRF vulnerability with comprehensive test coverage (CWE-918) Resolves Critical severity CodeQL finding in url_testing.go by implementing connection-time IP validation via custom DialContext. Added comprehensive test coverage for all SSRF protection mechanisms across the codebase. Technical changes: - Created ssrfSafeDialer() with atomic DNS resolution and IP validation - Refactored TestURLConnectivity() to use secure http.Transport - Added scheme validation (http/https only) - Prevents access to 13+ blocked CIDR ranges Test coverage improvements: - Backend: 85.1% → 86.5% (+1.4%) - Patch coverage: 70% → 86.5% (+16.5%) - Added 38 new test cases across 7 functions - docker_service.go: 0% → 85.2% - update_service.go: 26% → 95.2% - crowdsec/registration.go: 18% → 92.3% Security impact: - Prevents SSRF attacks (CWE-918) - Blocks DNS rebinding - Protects cloud metadata endpoints - Validates all URL inputs with comprehensive tests Testing: - All 1172+ tests passing - govulncheck: zero vulnerabilities - Trivy: zero issues - Pre-commit: passing Refs: #450	2025-12-23 17:42:21 +00:00
GitHub Actions	25082778c9	feat(cerberus): integrate Cerberus security features (WAF, ACLs, rate limiting, CrowdSec) - Implement GeoIPService for IP-to-country lookups with comprehensive error handling. - Add tests for GeoIPService covering various scenarios including invalid IPs and database loading. - Extend AccessListService to handle GeoIP service integration, including graceful degradation when GeoIP service is unavailable. - Introduce new tests for AccessListService to validate geo ACL behavior and country code parsing. - Update SecurityService to include new fields for WAF configuration and enhance decision logging functionality. - Add extensive tests for SecurityService covering rule set management and decision logging. - Create a detailed Security Coverage QA Plan to ensure 100% code coverage for security-related functionality.	2025-12-12 17:56:30 +00:00

Author

SHA1

Message

Date

GitHub Actions

c9d9c52657

fix(security): eliminate SSRF vulnerability with comprehensive test coverage (CWE-918)

Resolves Critical severity CodeQL finding in url_testing.go by implementing
connection-time IP validation via custom DialContext. Added comprehensive
test coverage for all SSRF protection mechanisms across the codebase.

Technical changes:
- Created ssrfSafeDialer() with atomic DNS resolution and IP validation
- Refactored TestURLConnectivity() to use secure http.Transport
- Added scheme validation (http/https only)
- Prevents access to 13+ blocked CIDR ranges

Test coverage improvements:
- Backend: 85.1% → 86.5% (+1.4%)
- Patch coverage: 70% → 86.5% (+16.5%)
- Added 38 new test cases across 7 functions
- docker_service.go: 0% → 85.2%
- update_service.go: 26% → 95.2%
- crowdsec/registration.go: 18% → 92.3%

Security impact:
- Prevents SSRF attacks (CWE-918)
- Blocks DNS rebinding
- Protects cloud metadata endpoints
- Validates all URL inputs with comprehensive tests

Testing:
- All 1172+ tests passing
- govulncheck: zero vulnerabilities
- Trivy: zero issues
- Pre-commit: passing

Refs: #450

2025-12-23 17:42:21 +00:00

GitHub Actions

25082778c9

feat(cerberus): integrate Cerberus security features (WAF, ACLs, rate limiting, CrowdSec)

- Implement GeoIPService for IP-to-country lookups with comprehensive error handling.
- Add tests for GeoIPService covering various scenarios including invalid IPs and database loading.
- Extend AccessListService to handle GeoIP service integration, including graceful degradation when GeoIP service is unavailable.
- Introduce new tests for AccessListService to validate geo ACL behavior and country code parsing.
- Update SecurityService to include new fields for WAF configuration and enhance decision logging functionality.
- Add extensive tests for SecurityService covering rule set management and decision logging.
- Create a detailed Security Coverage QA Plan to ensure 100% code coverage for security-related functionality.

2025-12-12 17:56:30 +00:00

2 Commits