akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 7 Packages Projects Releases Wiki Activity
Files
6f64648d1fafe6d4e231eb573d55b6543e733cda
Charon/backend/internal/services/security_notification_service.go
GitHub Actions 745b9e3e97 fix(security): complete SSRF remediation with defense-in-depth (CWE-918) 
Implement three-layer SSRF protection:
- Layer 1: URL pre-validation (existing)
- Layer 2: network.NewSafeHTTPClient() with connection-time IP validation
- Layer 3: Redirect target validation

New package: internal/network/safeclient.go
- IsPrivateIP(): Blocks RFC 1918, loopback, link-local (169.254.x.x),
  reserved ranges, IPv6 private
- safeDialer(): DNS resolve → validate all IPs → dial validated IP
  (prevents DNS rebinding/TOCTOU)
- NewSafeHTTPClient(): Functional options (WithTimeout, WithAllowLocalhost,
  WithAllowedDomains, WithMaxRedirects)

Updated services:
- notification_service.go
- security_notification_service.go
- update_service.go
- crowdsec/registration.go (WithAllowLocalhost for LAPI)
- crowdsec/hub_sync.go (WithAllowedDomains for CrowdSec domains)

Consolidated duplicate isPrivateIP implementations to use network package.

Test coverage: 90.9% for network package
CodeQL: 0 SSRF findings (CWE-918 mitigated)

Closes #450
2025-12-24 17:34:56 +00:00

163 lines
4.4 KiB
Go
Raw Blame History

package services
import (
"bytes"
"context"
"encoding/json"
"fmt"
"net/http"
"time"
"github.com/Wikid82/charon/backend/internal/logger"
"github.com/Wikid82/charon/backend/internal/models"
"github.com/Wikid82/charon/backend/internal/network"
"github.com/Wikid82/charon/backend/internal/security"
"github.com/sirupsen/logrus"
"gorm.io/gorm"
)
// SecurityNotificationService handles dispatching security event notifications.
type SecurityNotificationService struct {
db *gorm.DB
}
// NewSecurityNotificationService creates a new SecurityNotificationService instance.
func NewSecurityNotificationService(db *gorm.DB) *SecurityNotificationService {
return &SecurityNotificationService{db: db}
}
// GetSettings retrieves the notification configuration.
func (s *SecurityNotificationService) GetSettings() (*models.NotificationConfig, error) {
var config models.NotificationConfig
err := s.db.First(&config).Error
if err == gorm.ErrRecordNotFound {
// Return default config if none exists
return &models.NotificationConfig{
Enabled: false,
MinLogLevel: "error",
NotifyWAFBlocks: true,
NotifyACLDenies: true,
}, nil
}
return &config, err
}
// UpdateSettings updates the notification configuration.
func (s *SecurityNotificationService) UpdateSettings(config *models.NotificationConfig) error {
var existing models.NotificationConfig
err := s.db.First(&existing).Error
if err == gorm.ErrRecordNotFound {
// Create new config
return s.db.Create(config).Error
}
if err != nil {
return fmt.Errorf("fetch existing config: %w", err)
}
// Update existing config
config.ID = existing.ID
return s.db.Save(config).Error
}
// Send dispatches a security event to configured channels.
func (s *SecurityNotificationService) Send(ctx context.Context, event models.SecurityEvent) error {
config, err := s.GetSettings()
if err != nil {
return fmt.Errorf("get settings: %w", err)
}
if !config.Enabled {
return nil
}
// Check if event type should be notified
if event.EventType == "waf_block" && !config.NotifyWAFBlocks {
return nil
}
if event.EventType == "acl_deny" && !config.NotifyACLDenies {
return nil
}
// Check severity against minimum log level
if !shouldNotify(event.Severity, config.MinLogLevel) {
return nil
}
// Dispatch to webhook if configured
if config.WebhookURL != "" {
if err := s.sendWebhook(ctx, config.WebhookURL, event); err != nil {
logger.Log().WithError(err).Error("Failed to send webhook notification")
return fmt.Errorf("send webhook: %w", err)
}
}
return nil
}
// sendWebhook sends the event to a webhook URL.
func (s *SecurityNotificationService) sendWebhook(ctx context.Context, webhookURL string, event models.SecurityEvent) error {
// CRITICAL FIX: Validate webhook URL before making request (SSRF protection)
validatedURL, err := security.ValidateExternalURL(webhookURL,
security.WithAllowLocalhost(), // Allow localhost for testing
security.WithAllowHTTP(), // Some webhooks use HTTP
)
if err != nil {
// Log SSRF attempt with high severity
logger.Log().WithFields(logrus.Fields{
"url": webhookURL,
"error": err.Error(),
"event_type": "ssrf_blocked",
"severity": "HIGH",
}).Warn("Blocked SSRF attempt in security notification webhook")
return fmt.Errorf("invalid webhook URL: %w", err)
}
payload, err := json.Marshal(event)
if err != nil {
return fmt.Errorf("marshal event: %w", err)
}
req, err := http.NewRequestWithContext(ctx, "POST", validatedURL, bytes.NewBuffer(payload))
if err != nil {
return fmt.Errorf("create request: %w", err)
}
req.Header.Set("Content-Type", "application/json")
req.Header.Set("User-Agent", "Charon-Cerberus/1.0")
// Use SSRF-safe HTTP client for defense-in-depth
client := network.NewSafeHTTPClient(
network.WithTimeout(10*time.Second),
network.WithAllowLocalhost(), // Allow localhost for testing
)
resp, err := client.Do(req)
if err != nil {
return fmt.Errorf("execute request: %w", err)
}
defer resp.Body.Close()
if resp.StatusCode < 200 || resp.StatusCode >= 300 {
return fmt.Errorf("webhook returned status %d", resp.StatusCode)
}
return nil
}
// shouldNotify determines if an event should trigger a notification based on severity.
func shouldNotify(eventSeverity, minLevel string) bool {
levels := map[string]int{
"debug": 0,
"info": 1,
"warn": 2,
"error": 3,
}
eventLevel := levels[eventSeverity]
minLevelValue := levels[minLevel]
return eventLevel >= minLevelValue
}
Reference in New Issue View Git Blame Copy Permalink