akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity
Files
70bd60dbce5c5a333418e2a18e02b2d5511c8d46
Charon/SECURITY.md
GitHub Actions e0f69cdfc8 feat(security): comprehensive SSRF protection implementation 
BREAKING CHANGE: UpdateService.SetAPIURL() now returns error

Implements defense-in-depth SSRF protection across all user-controlled URLs:

Security Fixes:
- CRITICAL: Fixed security notification webhook SSRF vulnerability
- CRITICAL: Added GitHub domain allowlist for update service
- HIGH: Protected CrowdSec hub URLs with domain allowlist
- MEDIUM: Validated CrowdSec LAPI URLs (localhost-only)

Implementation:
- Created /backend/internal/security/url_validator.go (90.4% coverage)
- Blocks 13+ private IP ranges and cloud metadata endpoints
- DNS resolution with timeout and IP validation
- Comprehensive logging of SSRF attempts (HIGH severity)
- Defense-in-depth: URL format → DNS → IP → Request execution

Testing:
- 62 SSRF-specific tests covering all attack vectors
- 255 total tests passing (84.8% coverage)
- Zero security vulnerabilities (Trivy, go vuln check)
- OWASP A10 compliant

Documentation:
- Comprehensive security guide (docs/security/ssrf-protection.md)
- Manual test plan (30 test cases)
- Updated API docs, README, SECURITY.md, CHANGELOG

Security Impact:
- Pre-fix: CVSS 8.6 (HIGH) - Exploitable SSRF
- Post-fix: CVSS 0.0 (NONE) - Vulnerability eliminated

Refs: #450 (beta release)
See: docs/plans/ssrf_remediation_spec.md for full specification
2025-12-23 15:09:22 +00:00

7.9 KiB
Raw Blame History

Security Policy

Supported Versions

We release security updates for the following versions:

Version Supported
1.0.x
< 1.0

Reporting a Vulnerability

We take security seriously. If you discover a security vulnerability in Charon, please report it responsibly.

Where to Report

Preferred Method: GitHub Security Advisory (Private)

  1. Go to https://github.com/Wikid82/charon/security/advisories/new
  2. Fill out the advisory form with:
    • Vulnerability description
    • Steps to reproduce
    • Proof of concept (non-destructive)
    • Impact assessment
    • Suggested fix (if applicable)

Alternative Method: Email

  • Send to: security@charon.dev (if configured)
  • Use PGP encryption (key available below, if applicable)
  • Include same information as GitHub advisory

What to Include

Please provide:

  1. Description: Clear explanation of the vulnerability
  2. Reproduction Steps: Detailed steps to reproduce the issue
  3. Impact Assessment: What an attacker could do with this vulnerability
  4. Environment: Charon version, deployment method, OS, etc.
  5. Proof of Concept: Code or commands demonstrating the vulnerability (non-destructive)
  6. Suggested Fix: If you have ideas for remediation

What Happens Next

  1. Acknowledgment: We'll acknowledge your report within 48 hours
  2. Investigation: We'll investigate and assess the severity
  3. Updates: We'll provide regular status updates (weekly minimum)
  4. Fix Development: We'll develop and test a fix
  5. Disclosure: Coordinated disclosure after fix is released
  6. Credit: We'll credit you in release notes (if desired)

Responsible Disclosure

We ask that you:

  • Give us reasonable time to fix the issue before public disclosure (90 days preferred)
  • Avoid destructive testing or attacks on production systems
  • Not access, modify, or delete data that doesn't belong to you
  • Not perform actions that could degrade service for others

We commit to:

  • Respond to your report within 48 hours
  • Provide regular status updates
  • Credit you in release notes (if desired)
  • Not pursue legal action for good-faith security research

Security Features

Server-Side Request Forgery (SSRF) Protection

Charon implements industry-leading SSRF protection to prevent attackers from using the application to access internal resources or cloud metadata.

Protected Against

  • Private network access (RFC 1918: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
  • Cloud provider metadata endpoints (AWS, Azure, GCP)
  • Localhost and loopback addresses (127.0.0.0/8, ::1/128)
  • Link-local addresses (169.254.0.0/16, fe80::/10)
  • Protocol bypass attacks (file://, ftp://, gopher://, data:)

Validation Process

All user-controlled URLs undergo:

  1. URL Format Validation: Scheme, syntax, and structure checks
  2. DNS Resolution: Hostname resolution with timeout protection
  3. IP Range Validation: Blocked ranges include 13+ CIDR blocks
  4. Request Execution: Timeout enforcement and redirect limiting

Protected Features

  • Security notification webhooks
  • Custom webhook notifications
  • CrowdSec hub synchronization
  • External URL connectivity testing (admin-only)

Learn More

For complete technical details, see:

Authentication & Authorization

  • JWT-based authentication: Secure token-based sessions
  • Role-based access control: Admin vs. user permissions
  • Session management: Automatic expiration and renewal
  • Secure cookie attributes: HttpOnly, Secure (HTTPS), SameSite

Data Protection

  • Database encryption: Sensitive data encrypted at rest
  • Secure credential storage: Hashed passwords, encrypted API keys
  • Input validation: All user inputs sanitized and validated
  • Output encoding: XSS protection via proper encoding

Infrastructure Security

  • Container isolation: Docker-based deployment
  • Minimal attack surface: Alpine Linux base image
  • Dependency scanning: Regular Trivy and govulncheck scans
  • No unnecessary services: Single-purpose container design

Web Application Firewall (WAF)

  • Coraza WAF integration: OWASP Core Rule Set support
  • Rate limiting: Protection against brute-force and DoS
  • IP allowlisting/blocklisting: Network access control
  • CrowdSec integration: Collaborative threat intelligence

Security Best Practices

Deployment Recommendations

  1. Use HTTPS: Always deploy behind a reverse proxy with TLS
  2. Restrict Admin Access: Limit admin panel to trusted IPs
  3. Regular Updates: Keep Charon and dependencies up to date
  4. Secure Webhooks: Only use trusted webhook endpoints
  5. Strong Passwords: Enforce password complexity policies
  6. Backup Encryption: Encrypt backup files before storage

Configuration Hardening

# Recommended docker-compose.yml settings
services:
  charon:
    image: ghcr.io/wikid82/charon:latest
    restart: unless-stopped
    environment:
      - CHARON_ENV=production
      - LOG_LEVEL=info  # Don't use debug in production
    volumes:
      - ./charon-data:/app/data:rw
      - /var/run/docker.sock:/var/run/docker.sock:ro  # Read-only!
    networks:
      - charon-internal  # Isolated network
    cap_drop:
      - ALL
    cap_add:
      - NET_BIND_SERVICE  # Only if binding to ports < 1024
    security_opt:
      - no-new-privileges:true
    read_only: true  # If possible
    tmpfs:
      - /tmp:noexec,nosuid,nodev

Network Security

  • Firewall Rules: Only expose necessary ports (80, 443, 8080)
  • VPN Access: Use VPN for admin access in production
  • Fail2Ban: Consider fail2ban for brute-force protection
  • Intrusion Detection: Enable CrowdSec for threat detection

Security Audits & Scanning

Automated Scanning

We use the following tools:

  • Trivy: Container image vulnerability scanning
  • CodeQL: Static code analysis for Go and JavaScript
  • govulncheck: Go module vulnerability scanning
  • golangci-lint: Go code linting (including gosec)
  • npm audit: Frontend dependency vulnerability scanning

Manual Reviews

  • Security code reviews for all major features
  • Peer review of security-sensitive changes
  • Third-party security audits (planned)

Continuous Monitoring

  • GitHub Dependabot alerts
  • Weekly security scans in CI/CD
  • Community vulnerability reports

Known Security Considerations

Third-Party Dependencies

CrowdSec Binaries: As of December 2025, CrowdSec binaries shipped with Charon contain 4 HIGH-severity CVEs in Go stdlib (CVE-2025-58183, CVE-2025-58186, CVE-2025-58187, CVE-2025-61729). These are upstream issues in Go 1.25.1 and will be resolved when CrowdSec releases binaries built with Go 1.25.5+.

Impact: Low. These vulnerabilities are in CrowdSec's third-party binaries, not in Charon's application code. They affect HTTP/2, TLS certificate handling, and archive parsing—areas not directly exposed to attackers through Charon's interface.

Mitigation: Monitor CrowdSec releases for updated binaries. Charon's own application code has zero vulnerabilities.

Security Hall of Fame

We recognize security researchers who help improve Charon:

  • Your name could be here!

Security Contact

License

This security policy is part of the Charon project, licensed under the MIT License.

Last Updated: December 23, 2025 Version: 1.0

Reference in New Issue View Git Blame Copy Permalink