Charon/docs/plans at 460ca9aa425665b6b44fa4d6dfd989963363f99e - Charon - Gitea: Git with a cup of tea

akanealw/Charon

Files

History

GitHub Actions 4a9e00c226 fix(security): complete SSRF remediation with defense-in-depth (CWE-918)

Resolves TWO Critical CodeQL SSRF findings by implementing four-layer
defense-in-depth architecture with connection-time validation and
handler-level pre-validation.

Phase 1 - url_testing.go:
- Created ssrfSafeDialer() with atomic DNS resolution
- Eliminates TOCTOU/DNS rebinding vulnerabilities
- Validates IPs at connection time (runtime protection layer)

Phase 2 - settings_handler.go:
- Added security.ValidateExternalURL() pre-validation
- Breaks CodeQL taint chain before network requests
- Maintains API backward compatibility (200 OK for blocks)

Defense-in-depth layers:
1. Admin access control (authorization)
2. Format validation (scheme, paths)
3. SSRF pre-validation (DNS + IP blocking)
4. Runtime re-validation (TOCTOU defense)

Attack protections:
- DNS rebinding/TOCTOU eliminated
- URL parser differentials blocked
- Cloud metadata endpoints protected
- 13+ private CIDR ranges blocked (RFC 1918, link-local, etc.)

Test coverage:
- Backend: 85.1% → 86.4% (+1.3%)
- Patch: 70% → 86.4% (+16.4%)
- 31/31 SSRF test assertions passing
- Added 38 new test cases across 10 functions

Security validation:
- govulncheck: zero vulnerabilities
- Pre-commit: passing
- All linting: passing

Industry compliance:
- OWASP SSRF prevention best practices
- CWE-918 mitigation (CVSS 9.1)
- Defense-in-depth architecture

Refs: #450

2025-12-23 20:52:01 +00:00

..

proof-of-concept

feat: migrate scripts to Agent Skills following agentskills.io specification

2025-12-20 20:37:16 +00:00

agent-skills-migration-spec.md

feat: Update Docker Workflow Analysis & Remediation Plan in current_spec.md

2025-12-21 14:19:51 +00:00

bulk-apply-security-headers-plan.md.backup

feat: migrate scripts to Agent Skills following agentskills.io specification

2025-12-20 20:37:16 +00:00

c-ares_remediation_plan.md

feat: add weekly security rebuild workflow with no-cache scanning

2025-12-14 02:08:16 +00:00

caddy_bouncer_field_remediation.md

fix: add missing field handlers in proxy host Update endpoint

2025-12-20 01:55:52 +00:00

caddy_config_architecture_investigation.md

fix: remove invalid trusted_proxies structure causing 500 error on proxy host save

2025-12-20 05:46:03 +00:00

cerberus_integration_testing_plan.md

Add comprehensive tests for Security Dashboard functionality

2025-12-12 23:51:05 +00:00

cerberus_remediation_plan.md

Enhance documentation and testing plans

2025-12-14 02:45:24 +00:00

cerberus_uiux_testing_plan.md

Enhance documentation and testing plans

2025-12-14 02:45:24 +00:00

ci_failure_fix.md

docs: add CI failure fix plan and root cause analysis for WAF integration test

2025-12-23 06:26:53 +00:00

ci_failure_remediation_plan.md

Enhance documentation and testing plans

2025-12-14 02:45:24 +00:00

cleanup_temp_files.md

Fix Rate Limiting Issues

2025-12-12 19:21:44 +00:00

codecov_config_analysis.md

fix: update Codecov ignore patterns to align with local coverage analysis

2025-12-15 07:30:36 +00:00

codecov-acceptinvite-patch-coverage.md

fix: remove unreachable constant-time compare in AcceptInvite handler

2025-12-22 19:06:12 +00:00

container-hardening-fix.md

feat(docs): add comprehensive container hardening configuration and validation steps

2025-12-23 06:52:19 +00:00

crowdsec_bouncer_research_plan.md

fix: add missing field handlers in proxy host Update endpoint

2025-12-20 01:55:52 +00:00

crowdsec_full_implementation.md

Enhance documentation and testing plans

2025-12-14 02:45:24 +00:00

crowdsec_hotfix_plan.md

fix: add missing field handlers in proxy host Update endpoint

2025-12-20 01:55:52 +00:00

crowdsec_lapi_error_diagnostic.md

fix: enhance LAPI readiness checks and update related UI feedback

2025-12-15 07:30:35 +00:00

crowdsec_nonroot_fix_spec.md

doc: CrowdSec non-root migration fix specification and implementation plan

2025-12-22 02:43:19 +00:00

crowdsec_reconciliation_failure.md

fix: add missing field handlers in proxy host Update endpoint

2025-12-20 01:55:52 +00:00

crowdsec_startup_fix.md

fix(security): resolve CrowdSec startup permission failures

2025-12-23 02:30:22 +00:00

crowdsec_testing_plan.md

Enhance documentation and testing plans

2025-12-14 02:45:24 +00:00

crowdsec_toggle_fix_plan.md

fix: add missing field handlers in proxy host Update endpoint

2025-12-20 01:55:52 +00:00

current_spec.md

doc: plan for docker socket 500 error

2025-12-22 19:30:08 +00:00

db_corruption_guardrails_spec.md

feat: add SQLite database corruption guardrails

2025-12-17 16:53:38 +00:00

docker_socket_trace.md

fix: resolve Docker socket permissions and notification page routing

2025-12-22 21:58:20 +00:00

docs_to_issues_workflow.md

Enhance documentation and testing plans

2025-12-14 02:45:24 +00:00

frontend_coverage_boost.md

Fix Rate Limiting Issues

2025-12-12 19:21:44 +00:00

handler_test_optimization.md

chore: Optimize handler tests by implementing parallel execution, reducing AutoMigrate calls, and introducing helper functions for synchronization. Added a template database for faster test setup and created a new test_helpers.go file for common utilities. Updated multiple test files to utilize these improvements, enhancing overall test performance and reliability.

2025-12-21 06:01:47 +00:00

history_rewrite.md

Fix Rate Limiting Issues

2025-12-12 19:21:44 +00:00

import_cert_dashboard_spec.md

Fix Rate Limiting Issues

2025-12-12 19:21:44 +00:00

instruction_compliance_spec.md

feat: add instruction compliance audit report for Charon codebase

2025-12-20 20:53:25 +00:00

issue-365-additional-security.md

docs: add planning document for Issue #365 Additional Security

2025-12-21 10:26:21 -05:00

issue-365-remaining-work.md

docs: add CI failure fix plan and root cause analysis for WAF integration test

2025-12-23 06:26:53 +00:00

MIGRATION_UPDATE_SUMMARY.md

feat: migrate scripts to Agent Skills following agentskills.io specification

2025-12-20 20:37:16 +00:00

notification_page_trace.md

fix: resolve Docker socket permissions and notification page routing

2025-12-22 21:58:20 +00:00

post_rebuild_diagnostic.md

fix: add missing field handlers in proxy host Update endpoint

2025-12-20 01:55:52 +00:00

pr-434-docker-analysis.md

feat: Add Docker Workflow Analysis & Remediation Plan for PR #434

2025-12-21 14:20:13 +00:00

precommit_performance_fix_spec.md

fix: add missing field handlers in proxy host Update endpoint

2025-12-20 01:55:52 +00:00

prev_spec_archived_dec16.md

fix: add missing field handlers in proxy host Update endpoint

2025-12-20 01:55:52 +00:00

prev_spec_ci_investigation_dec18.md

fix: remove invalid trusted_proxies structure causing 500 error on proxy host save

2025-12-20 05:46:03 +00:00

prev_spec_i18n_language_selector_dec19.md

fix: add missing field handlers in proxy host Update endpoint

2025-12-20 01:55:52 +00:00

prev_spec_security_headers_persistence_dec18.md

fix: add missing field handlers in proxy host Update endpoint

2025-12-20 01:55:52 +00:00

prev_spec_standard_proxy_headers_dec19.md

fix: add missing field handlers in proxy host Update endpoint

2025-12-20 01:55:52 +00:00

prev_spec_uiux_dec16.md

fix: add missing field handlers in proxy host Update endpoint

2025-12-20 01:55:52 +00:00

prev_spec_websocket_fix_dec16.md

fix: add missing field handlers in proxy host Update endpoint

2025-12-20 01:55:52 +00:00

prev_spec_xforwarded_port_investigation.md

fix: remove invalid trusted_proxies structure causing 500 error on proxy host save

2025-12-20 05:46:03 +00:00

qa_remediation.md

test: increase test coverage to 86.1% and fix SSRF test failures

2025-12-23 05:46:44 +00:00

rate_limiter_testing_plan.md

Fix Rate Limiting Issues

2025-12-12 19:21:44 +00:00

sample_orchestration_plan.md

Fix Rate Limiting Issues

2025-12-12 19:21:44 +00:00

SECURITY_COVERAGE_QA_PLAN.md

Fix Rate Limiting Issues

2025-12-12 19:21:44 +00:00

security_features_spec.md

Fix Rate Limiting Issues

2025-12-12 19:21:44 +00:00

security_headers_apply_preset_analysis.md

fix: add missing field handlers in proxy host Update endpoint

2025-12-20 01:55:52 +00:00

security_headers_investigation.md

fix: consolidate preset UI and fix field name mismatch

2025-12-19 18:55:48 +00:00

ssl_card_pending_fix.md

Fix Rate Limiting Issues

2025-12-12 19:21:44 +00:00

ssrf_handler_fix_spec.md

fix(security): complete SSRF remediation with defense-in-depth (CWE-918)

2025-12-23 20:52:01 +00:00

ssrf_remediation_spec.md

feat(security): comprehensive SSRF protection implementation

2025-12-23 15:09:22 +00:00

structure.md

chore: reorganize repository structure

2025-12-21 04:57:31 +00:00

test_coverage_plan_100_percent.md

fix: add missing field handlers in proxy host Update endpoint

2025-12-20 01:55:52 +00:00

test_coverage_plan_sqlite_corruption.md

fix: remove invalid trusted_proxies structure causing 500 error on proxy host save

2025-12-20 05:46:03 +00:00

ui_ux_bugfixes_spec.md

Enhance documentation and testing plans

2025-12-14 02:45:24 +00:00

uptime_monitoring_diagnosis.md

fix(monitoring): resolve uptime port mismatch for non-standard ports

2025-12-23 03:28:45 +00:00

url_test_security_fixes.md

fix: login page warnings and implement secure URL testing

2025-12-22 01:31:57 +00:00

user_handler_coverage_fix.md

test: increase test coverage to 86.1% and fix SSRF test failures

2025-12-23 05:46:44 +00:00

waf_integration_fix.md

fix(integration): resolve WAF test authentication order

2025-12-23 03:40:00 +00:00

waf_testing_plan.md

Enhance documentation and testing plans

2025-12-14 02:45:24 +00:00