akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity
Files
c8a6542c06a9cd4a3a2e8857cfc3b546e0d8fbfe
Charon/docs/security/2026-02-06-validation-report.md
GitHub Actions 3169b05156 fix: skip incomplete system log viewer tests 
- Marked 12 tests as skip pending feature implementation
- Features tracked in GitHub issue #686 (system log viewer feature completion)
- Tests cover sorting by timestamp/level/method/URI/status, pagination controls, filtering by text/level, download functionality
- Unblocks Phase 2 at 91.7% pass rate to proceed to Phase 3 security enforcement validation
- TODO comments in code reference GitHub #686 for feature completion tracking
- Tests skipped: Pagination (3), Search/Filter (2), Download (2), Sorting (1), Log Display (4)
2026-02-09 21:55:55 +00:00

65 lines
3.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Security Validation Report - Feb 2026
**Date:** 2026-02-06
**Scope:** E2E Test Validation & Container Security Scan
**Status:** 🔴 FAIL
## 1. Executive Summary
Validation of the recent security enforcement updates revealed that while the core functionality is operational (frontend and backend are responsive), there are meaningful regression failures in E2E tests, specifically related to accessibility compliance and keyboard navigation. Additionally, a potentially flaky or timeout-prone behavior was observed in the CrowdSec diagnostics suite.
## 2. E2E Test Failures
The following tests failed during the `firefox` project execution against the E2E environment (`http://127.0.0.1:8080`).
### 2.1. Accessibility Failures (Severity: Medium)
**Test:** `tests/security/crowdsec-config.spec.ts`
**Case:** `CrowdSec Configuration @security Accessibility should have accessible form controls`
**Error:**
```text
Error: expect(received).toBeTruthy()
Received: null
Location: crowdsec-config.spec.ts:296:28
```
**Analysis:** Input fields in the CrowdSec configuration form are missing accessible labels (via `aria-label`, `aria-labelledby`, or `<label for="...">`). This violates WCAG 2.1 guidelines and causes test failure.
### 2.2. Keyboard Navigation Failures (Severity: Medium)
**Test:** `tests/security/crowdsec-decisions.spec.ts`
**Case:** `CrowdSec Banned IPs Management Accessibility should be keyboard navigable`
**Error:**
```text
Error: expect(locator).toBeVisible() failed
Locator: locator(':focus')
Expected: visible
```
**Analysis:** The "Banned IPs" card or table does not properly handle initial focus or tab navigation, resulting in focus being lost or placed on a non-visible element.
### 2.3. Test Interruption / Potential Timeout (Severity: Low/Flaky)
**Test:** `tests/security/crowdsec-diagnostics.spec.ts`
**Case:** `CrowdSec Diagnostics Connectivity Checks should optionally report console reachability`
**Status:** Interrupted
**Analysis:** The test runner execution was interrupted or timed out on this specific test. Backend logs confirm the connectivity endpoint `/api/v1/admin/crowdsec/diagnostics/connectivity` responded successfully in ~166ms, suggesting the issue might be client-side (Playwright) or network race condition waiting for the next step.
## 3. Security Scan Results (Trivy)
**Image:** `charon:local` (Debian 13.3)
**Overall:** 2 HIGH, 0 CRITICAL
| Library | Vulnerability | Severity | Fixed Version | Title |
| :--- | :--- | :--- | :--- | :--- |
| `libc-bin` | CVE-2026-0861 | HIGH | *(None)* | glibc: Integer overflow in memalign |
| `libc6` | CVE-2026-0861 | HIGH | *(None)* | glibc: Integer overflow in memalign |
**Analysis:**
The vulnerabilities are detected in the base OS (`glibc`). Currently, there is no fixed version available in the upstream repositories for this Debian version. These are considered **Acceptable Risks** for the moment until upstream patches are released.
## 4. Recommendations
1. **Remediate Accessibility:** Update `CrowdSecConfig` React component to add `aria-label` to form inputs, specifically those used for configuration toggles or text fields.
2. **Fix Focus Management:** Ensure the Banned IPs table has a valid tab order and visually indicates focus.
3. **Monitor Flakiness:** Re-run diagnostics tests in isolation to confirm if the interruption is persistent.
4. **Accept Risk (OS):** Acknowledge the `glibc` vulnerabilities and schedule a base image update check in 30 days.
Reference in New Issue View Git Blame Copy Permalink