ca477c48d4
- Added clarity and structure to README files, including recent updates and getting started sections. - Improved manual verification documentation for CrowdSec authentication, emphasizing expected outputs and success criteria. - Updated debugging guide with detailed output examples and automatic trace capture information. - Refined best practices for E2E tests, focusing on efficient polling, locator strategies, and state management. - Documented triage report for DNS Provider feature tests, highlighting issues fixed and test results before and after improvements. - Revised E2E test writing guide to include when to use specific helper functions and patterns for better test reliability. - Enhanced troubleshooting documentation with clear resolutions for common issues, including timeout and token configuration problems. - Updated tests README to provide quick links and best practices for writing robust tests.
3.4 KiB
Security Validation Report - Feb 2026
Date: 2026-02-06 Scope: E2E Test Validation & Container Security Scan Status: 🔴 FAIL
1. Executive Summary
Validation of the recent security enforcement updates revealed that while the core functionality is operational (frontend and backend are responsive), there are meaningful regression failures in E2E tests, specifically related to accessibility compliance and keyboard navigation. Additionally, a potentially flaky or timeout-prone behavior was observed in the CrowdSec diagnostics suite.
2. E2E Test Failures
The following tests failed during the firefox project execution against the E2E environment (http://127.0.0.1:8080).
2.1. Accessibility Failures (Severity: Medium)
Test: tests/security/crowdsec-config.spec.ts
Case: CrowdSec Configuration @security › Accessibility › should have accessible form controls
Error:
Error: expect(received).toBeTruthy()
Received: null
Location: crowdsec-config.spec.ts:296:28
Analysis: Input fields in the CrowdSec configuration form are missing accessible labels (via aria-label, aria-labelledby, or <label for="...">). This violates WCAG 2.1 guidelines and causes test failure.
2.2. Keyboard Navigation Failures (Severity: Medium)
Test: tests/security/crowdsec-decisions.spec.ts
Case: CrowdSec Banned IPs Management › Accessibility › should be keyboard navigable
Error:
Error: expect(locator).toBeVisible() failed
Locator: locator(':focus')
Expected: visible
Analysis: The "Banned IPs" card or table does not properly handle initial focus or tab navigation, resulting in focus being lost or placed on a non-visible element.
2.3. Test Interruption / Potential Timeout (Severity: Low/Flaky)
Test: tests/security/crowdsec-diagnostics.spec.ts
Case: CrowdSec Diagnostics › Connectivity Checks › should optionally report console reachability
Status: Interrupted
Analysis: The test runner execution was interrupted or timed out on this specific test. Backend logs confirm the connectivity endpoint /api/v1/admin/crowdsec/diagnostics/connectivity responded successfully in ~166ms, suggesting the issue might be client-side (Playwright) or network race condition waiting for the next step.
3. Security Scan Results (Trivy)
Image: charon:local (Debian 13.3)
Overall: 2 HIGH, 0 CRITICAL
| Library | Vulnerability | Severity | Fixed Version | Title |
|---|---|---|---|---|
libc-bin |
CVE-2026-0861 | HIGH | (None) | glibc: Integer overflow in memalign |
libc6 |
CVE-2026-0861 | HIGH | (None) | glibc: Integer overflow in memalign |
Analysis:
The vulnerabilities are detected in the base OS (glibc). Currently, there is no fixed version available in the upstream repositories for this Debian version. These are considered Acceptable Risks for the moment until upstream patches are released.
4. Recommendations
- Remediate Accessibility: Update
CrowdSecConfigReact component to addaria-labelto form inputs, specifically those used for configuration toggles or text fields. - Fix Focus Management: Ensure the Banned IPs table has a valid tab order and visually indicates focus.
- Monitor Flakiness: Re-run diagnostics tests in isolation to confirm if the interruption is persistent.
- Accept Risk (OS): Acknowledge the
glibcvulnerabilities and schedule a base image update check in 30 days.