akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 14 Packages Projects Releases Wiki Activity
Files
e0f69cdfc89fca85617a8e3fa10a9c3128da2e18
Charon/docs/reports
History
GitHub Actions e0f69cdfc8 feat(security): comprehensive SSRF protection implementation 
BREAKING CHANGE: UpdateService.SetAPIURL() now returns error

Implements defense-in-depth SSRF protection across all user-controlled URLs:

Security Fixes:
- CRITICAL: Fixed security notification webhook SSRF vulnerability
- CRITICAL: Added GitHub domain allowlist for update service
- HIGH: Protected CrowdSec hub URLs with domain allowlist
- MEDIUM: Validated CrowdSec LAPI URLs (localhost-only)

Implementation:
- Created /backend/internal/security/url_validator.go (90.4% coverage)
- Blocks 13+ private IP ranges and cloud metadata endpoints
- DNS resolution with timeout and IP validation
- Comprehensive logging of SSRF attempts (HIGH severity)
- Defense-in-depth: URL format → DNS → IP → Request execution

Testing:
- 62 SSRF-specific tests covering all attack vectors
- 255 total tests passing (84.8% coverage)
- Zero security vulnerabilities (Trivy, go vuln check)
- OWASP A10 compliant

Documentation:
- Comprehensive security guide (docs/security/ssrf-protection.md)
- Manual test plan (30 test cases)
- Updated API docs, README, SECURITY.md, CHANGELOG

Security Impact:
- Pre-fix: CVSS 8.6 (HIGH) - Exploitable SSRF
- Post-fix: CVSS 0.0 (NONE) - Vulnerability eliminated

Refs: #450 (beta release)
See: docs/plans/ssrf_remediation_spec.md for full specification
2025-12-23 15:09:22 +00:00
..
cerberus_live_logs_qa_report.md
Fix Rate Limiting Issues
2025-12-12 19:21:44 +00:00
ci_failure_diagnosis.md
fix: enhance LAPI readiness checks and update related UI feedback
2025-12-15 07:30:35 +00:00
compliance_qa_report.md
chore: implement instruction compliance remediation
2025-12-21 04:08:42 +00:00
crowdsec_app_level_config.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
crowdsec_bouncer_field_investigation.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
crowdsec_final_validation_20251215.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
crowdsec_final_validation.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
crowdsec_fix_deployment.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
crowdsec_integration_summary.md
Fix Rate Limiting Issues
2025-12-12 19:21:44 +00:00
crowdsec_migration_qa_report.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
crowdsec_production_ready_20251215_205500.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
crowdsec_trusted_proxies_fix.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
crowdsec_validation_final.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
crowdsec-preset-fix-summary.md
Fix Rate Limiting Issues
2025-12-12 19:21:44 +00:00
crowdsec-preset-pull-apply-debug.md
Fix Rate Limiting Issues
2025-12-12 19:21:44 +00:00
definition_of_done_report.md
Fix Rate Limiting Issues
2025-12-12 19:21:44 +00:00
HOTFIX_CROWDSEC_INTEGRATION_ISSUES.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
HTTP_HEADER_SCAN.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
implementation_notes.md
Add ImportSuccessModal tests, enhance AuthContext for token management, and improve useImport hook
2025-12-12 00:05:15 +00:00
precommit_fix_verification.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
precommit_performance_diagnosis.md
fix: remove invalid trusted_proxies structure causing 500 error on proxy host save
2025-12-20 05:46:03 +00:00
qa_agent_skills_migration.md
feat: migrate scripts to Agent Skills following agentskills.io specification
2025-12-20 20:37:16 +00:00
qa_crowdsec_frontend_coverage_report.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
qa_crowdsec_implementation.md
Enhance documentation and testing plans
2025-12-14 02:45:24 +00:00
qa_crowdsec_lapi_availability_fix.md
fix: enhance LAPI readiness checks and update related UI feedback
2025-12-15 07:30:35 +00:00
qa_crowdsec_startup_test_failure.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
qa_crowdsec_toggle_fix_summary.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
qa_final_crowdsec_validation.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
qa_i18n_report.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
qa_race_and_test_failures_2025-12-12.md
Fix Rate Limiting Issues
2025-12-12 19:21:44 +00:00
qa_report_bulk_apply_headers.md
feat: add security header profiles to bulk apply
2025-12-20 15:19:06 +00:00
qa_report_capi_fix.md
Fix Rate Limiting Issues
2025-12-12 19:21:44 +00:00
qa_report_crowdsec_architecture.md
fix: enhance LAPI readiness checks and update related UI feedback
2025-12-15 07:30:35 +00:00
qa_report_crowdsec_markdownlint_20251212.md
Fix Rate Limiting Issues
2025-12-12 19:21:44 +00:00
qa_report_crowdsec_startup_fix.md
fix(security): resolve CrowdSec startup and permission issues
2025-12-23 01:59:21 +00:00
qa_report_crowdsec_verification.md
fix(crowdsec): resolve non-root container migration issues
2025-12-22 04:03:04 +00:00
qa_report_docker_tag_fix_pr421.md
fix: use PR number instead of ref_name for Docker image tags
2025-12-17 20:00:44 +00:00
qa_report_final.md
test: increase test coverage to 86.1% and fix SSRF test failures
2025-12-23 05:46:44 +00:00
qa_report_geoip_v2.md
fix: enhance LAPI readiness checks and update related UI feedback
2025-12-15 07:30:35 +00:00
qa_report_i18n.md
fix: remove invalid trusted_proxies structure causing 500 error on proxy host save
2025-12-20 05:46:03 +00:00
qa_report_issue20_security_headers.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
qa_report_issue365.md
feat(docs): add comprehensive container hardening configuration and validation steps
2025-12-23 06:52:19 +00:00
qa_report_proxy_host_update_fix.md
fix: remove invalid trusted_proxies structure causing 500 error on proxy host save
2025-12-20 05:46:03 +00:00
qa_report_rate_limiting_20251212.md
Fix Rate Limiting Issues
2025-12-12 19:21:44 +00:00
qa_report_sidebar_ui.md
feat: improve sidebar and header UX with scrollable navigation and fixed header
2025-12-21 21:04:13 +00:00
qa_report_standard_proxy_headers.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
qa_report.md
test: increase test coverage to 86.1% and fix SSRF test failures
2025-12-23 05:46:44 +00:00
qa_security_headers_fix_2025-12-18.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
qa_security_weekly_workflow.md
feat: add weekly security workflow implementation and documentation
2025-12-14 02:03:38 +00:00
qa_ssrf_remediation_report.md
feat(security): comprehensive SSRF protection implementation
2025-12-23 15:09:22 +00:00
qa_summary_sidebar_ui.md
feat: improve sidebar and header UX with scrollable navigation and fixed header
2025-12-21 21:04:13 +00:00
qa_test_coverage_audit.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
qa_uiux_testing_report.md
Enhance documentation and testing plans
2025-12-14 02:45:24 +00:00
rate_limit_fix_summary.md
Enhance documentation and testing plans
2025-12-14 02:45:24 +00:00
rate_limit_test_status.md
fix: enhance LAPI readiness checks and update related UI feedback
2025-12-15 07:30:35 +00:00
security_headers_bug_fix_summary.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00
security_headers_trace.md
fix: add missing field handlers in proxy host Update endpoint
2025-12-20 01:55:52 +00:00