fix(security): resolve API key logging vulnerability and enhance import validation
Critical security fix addressing CWE-312/315/359 (Cleartext Storage/Cookie
Storage/Privacy Exposure) where CrowdSec bouncer API keys were logged in cleartext.
Implemented maskAPIKey() utility to show only first 4 and last 4 characters,
protecting sensitive credentials in production logs.
Enhanced CrowdSec configuration import validation with:
- Zip bomb protection via 100x compression ratio limit
- Format validation rejecting zip archives (only tar.gz allowed)
- CrowdSec-specific YAML structure validation
- Rollback mechanism on validation failures
UX improvement: moved CrowdSec API key display from Security Dashboard to
CrowdSec Config page for better logical organization.
Comprehensive E2E test coverage:
- Created 10 test scenarios including valid import, missing files, invalid YAML,
zip bombs, wrong formats, and corrupted archives
- 87/108 E2E tests passing (81% pass rate, 0 regressions)
Security validation:
- CodeQL: 0 CWE-312/315/359 findings (vulnerability fully resolved)
- Docker Image: 7 HIGH base image CVEs documented (non-blocking, Debian upstream)
- Pre-commit hooks: 13/13 passing (fixed 23 total linting issues)
Backend coverage: 82.2% (+1.1%)
Frontend coverage: 84.19% (+0.3%)
93894c517b