akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity
Files
03523eb7317b5b4b171669c8b42a68d7ddb7ea1f
Charon/docs
History
GitHub Actions e0f69cdfc8 feat(security): comprehensive SSRF protection implementation 
BREAKING CHANGE: UpdateService.SetAPIURL() now returns error

Implements defense-in-depth SSRF protection across all user-controlled URLs:

Security Fixes:
- CRITICAL: Fixed security notification webhook SSRF vulnerability
- CRITICAL: Added GitHub domain allowlist for update service
- HIGH: Protected CrowdSec hub URLs with domain allowlist
- MEDIUM: Validated CrowdSec LAPI URLs (localhost-only)

Implementation:
- Created /backend/internal/security/url_validator.go (90.4% coverage)
- Blocks 13+ private IP ranges and cloud metadata endpoints
- DNS resolution with timeout and IP validation
- Comprehensive logging of SSRF attempts (HIGH severity)
- Defense-in-depth: URL format → DNS → IP → Request execution

Testing:
- 62 SSRF-specific tests covering all attack vectors
- 255 total tests passing (84.8% coverage)
- Zero security vulnerabilities (Trivy, go vuln check)
- OWASP A10 compliant

Documentation:
- Comprehensive security guide (docs/security/ssrf-protection.md)
- Manual test plan (30 test cases)
- Updated API docs, README, SECURITY.md, CHANGELOG

Security Impact:
- Pre-fix: CVSS 8.6 (HIGH) - Exploitable SSRF
- Post-fix: CVSS 0.0 (NONE) - Vulnerability eliminated

Refs: #450 (beta release)
See: docs/plans/ssrf_remediation_spec.md for full specification
2025-12-23 15:09:22 +00:00
..
implementation
feat(security): comprehensive SSRF protection implementation
2025-12-23 15:09:22 +00:00
issues
feat(security): comprehensive SSRF protection implementation
2025-12-23 15:09:22 +00:00
plans
feat(security): comprehensive SSRF protection implementation
2025-12-23 15:09:22 +00:00
reports
feat(security): comprehensive SSRF protection implementation
2025-12-23 15:09:22 +00:00
security
feat(security): comprehensive SSRF protection implementation
2025-12-23 15:09:22 +00:00
troubleshooting
chore: implement instruction compliance remediation
2025-12-21 04:08:42 +00:00
acme-staging.md
chore: implement instruction compliance remediation
2025-12-21 04:08:42 +00:00
AGENT_SKILLS_MIGRATION.md
feat: migrate scripts to Agent Skills following agentskills.io specification
2025-12-20 20:37:16 +00:00
api.md
feat(security): comprehensive SSRF protection implementation
2025-12-23 15:09:22 +00:00
beta_release_draft_pr_body_snapshot.md
fix: update workflows to use GITHUB_TOKEN instead of CHARON_TOKEN for improved compatibility
2025-12-14 00:11:06 +00:00
beta_release_draft_pr.md
fix: update workflows to use GITHUB_TOKEN instead of CHARON_TOKEN for improved compatibility
2025-12-14 00:11:06 +00:00
beta_release_pr_body.md
fix: update workflows to use GITHUB_TOKEN instead of CHARON_TOKEN for improved compatibility
2025-12-14 00:11:06 +00:00
cerberus.md
chore: implement instruction compliance remediation
2025-12-21 04:08:42 +00:00
crowdsec-auto-start-quickref.md
fix(security): resolve CrowdSec startup and permission issues
2025-12-23 01:59:21 +00:00
database-maintenance.md
chore: implement instruction compliance remediation
2025-12-21 04:08:42 +00:00
database-schema.md
chore: implement instruction compliance remediation
2025-12-21 04:08:42 +00:00
debugging-local-container.md
chore: implement instruction compliance remediation
2025-12-21 04:08:42 +00:00
features.md
fix(monitoring): resolve uptime port mismatch for non-standard ports
2025-12-23 03:28:45 +00:00
getting-started.md
fix(security): resolve CrowdSec startup and permission issues
2025-12-23 01:59:21 +00:00
github-setup.md
chore: implement instruction compliance remediation
2025-12-21 04:08:42 +00:00
i18n-examples.md
chore: implement instruction compliance remediation
2025-12-21 04:08:42 +00:00
import-guide.md
chore: implement instruction compliance remediation
2025-12-21 04:08:42 +00:00
index.md
chore: implement instruction compliance remediation
2025-12-21 04:08:42 +00:00
live-logs-guide.md
chore: implement instruction compliance remediation
2025-12-21 04:08:42 +00:00
migration-guide-crowdsec-auto-start.md
fix(security): resolve CrowdSec startup and permission issues
2025-12-23 01:59:21 +00:00
migration-guide.md
chore: implement instruction compliance remediation
2025-12-21 04:08:42 +00:00
security-incident-response.md
Update docs/security-incident-response.md
2025-12-23 01:23:54 -05:00
security.md
feat(docs): add comprehensive container hardening configuration and validation steps
2025-12-23 06:52:19 +00:00