akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity
Files
03523eb7317b5b4b171669c8b42a68d7ddb7ea1f
Charon/docs/plans
History
GitHub Actions e0f69cdfc8 feat(security): comprehensive SSRF protection implementation 
BREAKING CHANGE: UpdateService.SetAPIURL() now returns error

Implements defense-in-depth SSRF protection across all user-controlled URLs:

Security Fixes:
- CRITICAL: Fixed security notification webhook SSRF vulnerability
- CRITICAL: Added GitHub domain allowlist for update service
- HIGH: Protected CrowdSec hub URLs with domain allowlist
- MEDIUM: Validated CrowdSec LAPI URLs (localhost-only)

Implementation:
- Created /backend/internal/security/url_validator.go (90.4% coverage)
- Blocks 13+ private IP ranges and cloud metadata endpoints
- DNS resolution with timeout and IP validation
- Comprehensive logging of SSRF attempts (HIGH severity)
- Defense-in-depth: URL format → DNS → IP → Request execution

Testing:
- 62 SSRF-specific tests covering all attack vectors
- 255 total tests passing (84.8% coverage)
- Zero security vulnerabilities (Trivy, go vuln check)
- OWASP A10 compliant

Documentation:
- Comprehensive security guide (docs/security/ssrf-protection.md)
- Manual test plan (30 test cases)
- Updated API docs, README, SECURITY.md, CHANGELOG

Security Impact:
- Pre-fix: CVSS 8.6 (HIGH) - Exploitable SSRF
- Post-fix: CVSS 0.0 (NONE) - Vulnerability eliminated

Refs: #450 (beta release)
See: docs/plans/ssrf_remediation_spec.md for full specification
2025-12-23 15:09:22 +00:00
..
proof-of-concept
feat: migrate scripts to Agent Skills following agentskills.io specification
2025-12-20 20:37:16 +00:00
agent-skills-migration-spec.md
feat: Update Docker Workflow Analysis & Remediation Plan in current_spec.md
2025-12-21 14:19:51 +00:00
bulk-apply-security-headers-plan.md.backup
feat: migrate scripts to Agent Skills following agentskills.io specification
2025-12-20 20:37:16 +00:00
c-ares_remediation_plan.md
feat: add weekly security rebuild workflow with no-cache scanning
2025-12-14 02:08:16 +00:00
caddy_bouncer_field_remediation.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
caddy_config_architecture_investigation.md
fix: remove invalid trusted_proxies structure causing 500 error on proxy host save
2025-12-20 05:46:03 +00:00
cerberus_integration_testing_plan.md
Add comprehensive tests for Security Dashboard functionality
2025-12-12 23:51:05 +00:00
cerberus_remediation_plan.md
Enhance documentation and testing plans
2025-12-14 02:45:24 +00:00
cerberus_uiux_testing_plan.md
Enhance documentation and testing plans
2025-12-14 02:45:24 +00:00
ci_failure_fix.md
docs: add CI failure fix plan and root cause analysis for WAF integration test
2025-12-23 06:26:53 +00:00
ci_failure_remediation_plan.md
Enhance documentation and testing plans
2025-12-14 02:45:24 +00:00
cleanup_temp_files.md
Fix Rate Limiting Issues
2025-12-12 19:21:44 +00:00
codecov_config_analysis.md
fix: update Codecov ignore patterns to align with local coverage analysis
2025-12-15 07:30:36 +00:00
codecov-acceptinvite-patch-coverage.md
fix: remove unreachable constant-time compare in AcceptInvite handler
2025-12-22 19:06:12 +00:00
container-hardening-fix.md
feat(docs): add comprehensive container hardening configuration and validation steps
2025-12-23 06:52:19 +00:00
crowdsec_bouncer_research_plan.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
crowdsec_full_implementation.md
Enhance documentation and testing plans
2025-12-14 02:45:24 +00:00
crowdsec_hotfix_plan.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
crowdsec_lapi_error_diagnostic.md
fix: enhance LAPI readiness checks and update related UI feedback
2025-12-15 07:30:35 +00:00
crowdsec_nonroot_fix_spec.md
doc: CrowdSec non-root migration fix specification and implementation plan
2025-12-22 02:43:19 +00:00
crowdsec_reconciliation_failure.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
crowdsec_startup_fix.md
fix(security): resolve CrowdSec startup permission failures
2025-12-23 02:30:22 +00:00
crowdsec_testing_plan.md
Enhance documentation and testing plans
2025-12-14 02:45:24 +00:00
crowdsec_toggle_fix_plan.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
current_spec.md
doc: plan for docker socket 500 error
2025-12-22 19:30:08 +00:00
db_corruption_guardrails_spec.md
feat: add SQLite database corruption guardrails
2025-12-17 16:53:38 +00:00
docker_socket_trace.md
fix: resolve Docker socket permissions and notification page routing
2025-12-22 21:58:20 +00:00
docs_to_issues_workflow.md
Enhance documentation and testing plans
2025-12-14 02:45:24 +00:00
frontend_coverage_boost.md
Fix Rate Limiting Issues
2025-12-12 19:21:44 +00:00
handler_test_optimization.md
chore: Optimize handler tests by implementing parallel execution, reducing AutoMigrate calls, and introducing helper functions for synchronization. Added a template database for faster test setup and created a new test_helpers.go file for common utilities. Updated multiple test files to utilize these improvements, enhancing overall test performance and reliability.
2025-12-21 06:01:47 +00:00
history_rewrite.md
Fix Rate Limiting Issues
2025-12-12 19:21:44 +00:00
import_cert_dashboard_spec.md
Fix Rate Limiting Issues
2025-12-12 19:21:44 +00:00
instruction_compliance_spec.md
feat: add instruction compliance audit report for Charon codebase
2025-12-20 20:53:25 +00:00
issue-365-additional-security.md
docs: add planning document for Issue #365 Additional Security
2025-12-21 10:26:21 -05:00
issue-365-remaining-work.md
docs: add CI failure fix plan and root cause analysis for WAF integration test
2025-12-23 06:26:53 +00:00
MIGRATION_UPDATE_SUMMARY.md
feat: migrate scripts to Agent Skills following agentskills.io specification
2025-12-20 20:37:16 +00:00
notification_page_trace.md
fix: resolve Docker socket permissions and notification page routing
2025-12-22 21:58:20 +00:00
post_rebuild_diagnostic.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
pr-434-docker-analysis.md
feat: Add Docker Workflow Analysis & Remediation Plan for PR #434
2025-12-21 14:20:13 +00:00
precommit_performance_fix_spec.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
prev_spec_archived_dec16.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
prev_spec_ci_investigation_dec18.md
fix: remove invalid trusted_proxies structure causing 500 error on proxy host save
2025-12-20 05:46:03 +00:00
prev_spec_i18n_language_selector_dec19.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
prev_spec_security_headers_persistence_dec18.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
prev_spec_standard_proxy_headers_dec19.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
prev_spec_uiux_dec16.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
prev_spec_websocket_fix_dec16.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
prev_spec_xforwarded_port_investigation.md
fix: remove invalid trusted_proxies structure causing 500 error on proxy host save
2025-12-20 05:46:03 +00:00
qa_remediation.md
test: increase test coverage to 86.1% and fix SSRF test failures
2025-12-23 05:46:44 +00:00
rate_limiter_testing_plan.md
Fix Rate Limiting Issues
2025-12-12 19:21:44 +00:00
sample_orchestration_plan.md
Fix Rate Limiting Issues
2025-12-12 19:21:44 +00:00
SECURITY_COVERAGE_QA_PLAN.md
Fix Rate Limiting Issues
2025-12-12 19:21:44 +00:00
security_features_spec.md
Fix Rate Limiting Issues
2025-12-12 19:21:44 +00:00
security_headers_apply_preset_analysis.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
security_headers_investigation.md
fix: consolidate preset UI and fix field name mismatch
2025-12-19 18:55:48 +00:00
ssl_card_pending_fix.md
Fix Rate Limiting Issues
2025-12-12 19:21:44 +00:00
ssrf_remediation_spec.md
feat(security): comprehensive SSRF protection implementation
2025-12-23 15:09:22 +00:00
structure.md
chore: reorganize repository structure
2025-12-21 04:57:31 +00:00
test_coverage_plan_100_percent.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
test_coverage_plan_sqlite_corruption.md
fix: remove invalid trusted_proxies structure causing 500 error on proxy host save
2025-12-20 05:46:03 +00:00
ui_ux_bugfixes_spec.md
Enhance documentation and testing plans
2025-12-14 02:45:24 +00:00
uptime_monitoring_diagnosis.md
fix(monitoring): resolve uptime port mismatch for non-standard ports
2025-12-23 03:28:45 +00:00
url_test_security_fixes.md
fix: login page warnings and implement secure URL testing
2025-12-22 01:31:57 +00:00
user_handler_coverage_fix.md
test: increase test coverage to 86.1% and fix SSRF test failures
2025-12-23 05:46:44 +00:00
waf_integration_fix.md
fix(integration): resolve WAF test authentication order
2025-12-23 03:40:00 +00:00
waf_testing_plan.md
Enhance documentation and testing plans
2025-12-14 02:45:24 +00:00