akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 6 Packages Projects Releases Wiki Activity
Files
c21fd17ec92c0606fec201c40eb86126bca10a84
Charon/docs/reports
History
GitHub Actions 4a9e00c226 fix(security): complete SSRF remediation with defense-in-depth (CWE-918) 
Resolves TWO Critical CodeQL SSRF findings by implementing four-layer
defense-in-depth architecture with connection-time validation and
handler-level pre-validation.

Phase 1 - url_testing.go:
- Created ssrfSafeDialer() with atomic DNS resolution
- Eliminates TOCTOU/DNS rebinding vulnerabilities
- Validates IPs at connection time (runtime protection layer)

Phase 2 - settings_handler.go:
- Added security.ValidateExternalURL() pre-validation
- Breaks CodeQL taint chain before network requests
- Maintains API backward compatibility (200 OK for blocks)

Defense-in-depth layers:
1. Admin access control (authorization)
2. Format validation (scheme, paths)
3. SSRF pre-validation (DNS + IP blocking)
4. Runtime re-validation (TOCTOU defense)

Attack protections:
- DNS rebinding/TOCTOU eliminated
- URL parser differentials blocked
- Cloud metadata endpoints protected
- 13+ private CIDR ranges blocked (RFC 1918, link-local, etc.)

Test coverage:
- Backend: 85.1% → 86.4% (+1.3%)
- Patch: 70% → 86.4% (+16.4%)
- 31/31 SSRF test assertions passing
- Added 38 new test cases across 10 functions

Security validation:
- govulncheck: zero vulnerabilities
- Pre-commit: passing
- All linting: passing

Industry compliance:
- OWASP SSRF prevention best practices
- CWE-918 mitigation (CVSS 9.1)
- Defense-in-depth architecture

Refs: #450
2025-12-23 20:52:01 +00:00
..
cerberus_live_logs_qa_report.md
Fix Rate Limiting Issues
2025-12-12 19:21:44 +00:00
ci_failure_diagnosis.md
fix: enhance LAPI readiness checks and update related UI feedback
2025-12-15 07:30:35 +00:00
compliance_qa_report.md
chore: implement instruction compliance remediation
2025-12-21 04:08:42 +00:00
coverage_gap_analysis.md
test: add comprehensive frontend tests for Public URL and invite preview features
2025-12-23 16:32:19 +00:00
coverage_verification.md
test: add comprehensive frontend tests for Public URL and invite preview features
2025-12-23 16:32:19 +00:00
crowdsec_app_level_config.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
crowdsec_bouncer_field_investigation.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
crowdsec_final_validation_20251215.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
crowdsec_final_validation.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
crowdsec_fix_deployment.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
crowdsec_integration_summary.md
Fix Rate Limiting Issues
2025-12-12 19:21:44 +00:00
crowdsec_migration_qa_report.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
crowdsec_production_ready_20251215_205500.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
crowdsec_trusted_proxies_fix.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
crowdsec_validation_final.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
crowdsec-preset-fix-summary.md
Fix Rate Limiting Issues
2025-12-12 19:21:44 +00:00
crowdsec-preset-pull-apply-debug.md
Fix Rate Limiting Issues
2025-12-12 19:21:44 +00:00
definition_of_done_report.md
Fix Rate Limiting Issues
2025-12-12 19:21:44 +00:00
HOTFIX_CROWDSEC_INTEGRATION_ISSUES.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
HTTP_HEADER_SCAN.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
implementation_notes.md
Add ImportSuccessModal tests, enhance AuthContext for token management, and improve useImport hook
2025-12-12 00:05:15 +00:00
precommit_fix_verification.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
precommit_performance_diagnosis.md
fix: remove invalid trusted_proxies structure causing 500 error on proxy host save
2025-12-20 05:46:03 +00:00
qa_agent_skills_migration.md
feat: migrate scripts to Agent Skills following agentskills.io specification
2025-12-20 20:37:16 +00:00
qa_crowdsec_frontend_coverage_report.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
qa_crowdsec_implementation.md
Enhance documentation and testing plans
2025-12-14 02:45:24 +00:00
qa_crowdsec_lapi_availability_fix.md
fix: enhance LAPI readiness checks and update related UI feedback
2025-12-15 07:30:35 +00:00
qa_crowdsec_startup_test_failure.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
qa_crowdsec_toggle_fix_summary.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
qa_final_crowdsec_validation.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
qa_i18n_report.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
qa_race_and_test_failures_2025-12-12.md
Fix Rate Limiting Issues
2025-12-12 19:21:44 +00:00
qa_report_bulk_apply_headers.md
feat: add security header profiles to bulk apply
2025-12-20 15:19:06 +00:00
qa_report_capi_fix.md
Fix Rate Limiting Issues
2025-12-12 19:21:44 +00:00
qa_report_crowdsec_architecture.md
fix: enhance LAPI readiness checks and update related UI feedback
2025-12-15 07:30:35 +00:00
qa_report_crowdsec_markdownlint_20251212.md
Fix Rate Limiting Issues
2025-12-12 19:21:44 +00:00
qa_report_crowdsec_startup_fix.md
fix(security): resolve CrowdSec startup and permission issues
2025-12-23 01:59:21 +00:00
qa_report_crowdsec_verification.md
fix(crowdsec): resolve non-root container migration issues
2025-12-22 04:03:04 +00:00
qa_report_docker_tag_fix_pr421.md
fix: use PR number instead of ref_name for Docker image tags
2025-12-17 20:00:44 +00:00
qa_report_final.md
test: increase test coverage to 86.1% and fix SSRF test failures
2025-12-23 05:46:44 +00:00
qa_report_geoip_v2.md
fix: enhance LAPI readiness checks and update related UI feedback
2025-12-15 07:30:35 +00:00
qa_report_i18n.md
fix: remove invalid trusted_proxies structure causing 500 error on proxy host save
2025-12-20 05:46:03 +00:00
qa_report_issue20_security_headers.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
qa_report_issue365.md
feat(docs): add comprehensive container hardening configuration and validation steps
2025-12-23 06:52:19 +00:00
qa_report_proxy_host_update_fix.md
fix: remove invalid trusted_proxies structure causing 500 error on proxy host save
2025-12-20 05:46:03 +00:00
qa_report_rate_limiting_20251212.md
Fix Rate Limiting Issues
2025-12-12 19:21:44 +00:00
qa_report_sidebar_ui.md
feat: improve sidebar and header UX with scrollable navigation and fixed header
2025-12-21 21:04:13 +00:00
qa_report_ssrf_fix.md
fix(security): complete SSRF remediation with defense-in-depth (CWE-918)
2025-12-23 20:52:01 +00:00
qa_report_standard_proxy_headers.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
qa_report.md
test: increase test coverage to 86.1% and fix SSRF test failures
2025-12-23 05:46:44 +00:00
qa_security_headers_fix_2025-12-18.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
qa_security_weekly_workflow.md
feat: add weekly security workflow implementation and documentation
2025-12-14 02:03:38 +00:00
qa_ssrf_remediation_report.md
feat(security): comprehensive SSRF protection implementation
2025-12-23 15:09:22 +00:00
qa_summary_sidebar_ui.md
feat: improve sidebar and header UX with scrollable navigation and fixed header
2025-12-21 21:04:13 +00:00
qa_test_coverage_audit.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
qa_uiux_testing_report.md
Enhance documentation and testing plans
2025-12-14 02:45:24 +00:00
rate_limit_fix_summary.md
Enhance documentation and testing plans
2025-12-14 02:45:24 +00:00
rate_limit_test_status.md
fix: enhance LAPI readiness checks and update related UI feedback
2025-12-15 07:30:35 +00:00
security_headers_bug_fix_summary.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
security_headers_trace.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
SSRF_DOCUMENTATION_UPDATE_SUMMARY.md
fix(security): eliminate SSRF vulnerability in URL connectivity testing (CWE-918)
2025-12-23 17:10:12 +00:00