Charon/docs/implementation/E2E_SECURITY_ENFORCEMENT_FAILURES_SPEC.md at eb62ab648fcbcec23817c2abe4656e2604097d9d

Files

GitHub Actions 270597bb79 chore: Add E2E Security Enforcement Failures Spec and GORM Security Fix Documentation

- Introduced a new document detailing the remediation plan for E2E security enforcement failures, including root cause analysis and proposed fixes for identified issues.
- Updated the implementation README to include the GORM Security Scanner documentation.
- Replaced the existing GitHub Actions E2E Trigger Investigation Plan with a comprehensive GORM ID Leak Security Vulnerability Fix plan, outlining the critical security bug, its impact, and a structured implementation plan for remediation.
- Revised the QA report to reflect the status of the GORM security fixes, highlighting the critical vulnerabilities found during the Docker image scan and the necessary actions to address them.

2026-01-28 10:30:03 +00:00

5.1 KiB

Raw Blame History

E2E Security Enforcement Failures Remediation Plan (2 Remaining)

Context

Branch: feature/beta-release
Source: docs/reports/qa_report.md
Failures: /api/v1/users setup socket hang up (Security Dashboard navigation), Emergency token baseline blocking (Test 1)

Phase 1 – Analyze (Root Cause Mapping)

Failure A: `/api/v1/users` setup socket hang up (Security Dashboard navigation)

Symptoms

apiRequestContext.post socket hang up during test setup user creation in:
- tests/security/security-dashboard.spec.ts (navigation suite)

Likely Backend Cause

Test setup creates an admin user via POST /api/v1/users, which is routed through Cerberus middleware before auth.
If ACL is enabled and the test runner IP is not in security.admin_whitelist, Cerberus will block all requests when no active ACLs exist.
This block can present as a socket hang up when the proxy closes the connection before Playwright reads the response.

Backend Evidence

Cerberus middleware executes on all /api/v1/* routes: backend/internal/api/routes/routes.go
- api.Use(cerb.Middleware()) and protected.POST("/users", userHandler.CreateUser)
ACL default-deny behavior and whitelist bypass: backend/internal/cerberus/cerberus.go
- Cerberus.Middleware and isAdminWhitelisted
User creation handler expects admin role after auth: backend/internal/api/handlers/user_handler.go
- UserHandler.CreateUser

Fix Options (Backend)

Ensure ACL cannot block authenticated admin setup calls by moving Cerberus after auth for protected routes (so role can be evaluated).
Add an explicit Cerberus bypass for /api/v1/users setup in test/dev mode when the request has a valid admin session.
Require at least one allow/deny list entry before enabling ACL, and return a clear 4xx error instead of terminating the connection.

Failure B: Emergency token baseline not blocked (Test 1)

Symptoms

Expected 403 from /api/v1/security/status, received 200 in:
- tests/security-enforcement/emergency-token.spec.ts (Test 1)

Likely Backend Cause

ACL is enabled via /api/v1/settings, but Cerberus treats the request IP as whitelisted (e.g., 127.0.0.1/32) and skips ACL enforcement.
The whitelist is stored in SecurityConfig and can persist from prior tests, causing ACL bypass for authenticated requests even without the emergency token.

Backend Evidence

Admin whitelist bypass check: backend/internal/cerberus/cerberus.go
- isAdminWhitelisted
Security config persistence: backend/internal/models/security_config.go
ACL enablement via settings: backend/internal/api/handlers/settings_handler.go
- SettingsHandler.UpdateSetting auto-enables feature.cerberus.enabled

Fix Options (Backend)

Make ACL bypass conditional on authenticated admin context by applying Cerberus after auth on protected routes.
Clear or override security.admin_whitelist when enabling ACL in test runs where the baseline must be blocked.
Add a dedicated ACL enforcement endpoint or status check that is not exempted by admin whitelist.

Phase 2 – Focused Remediation Plan (No Code Changes Yet)

Plan A: Diagnose `/api/v1/users` socket hang up

Confirm ACL and admin whitelist values immediately before test setup user creation.
Check server logs for Cerberus ACL blocks or upstream connection resets during POST /api/v1/users.
Validate that the request is authenticated and that Cerberus is not terminating the request before auth runs.

Acceptance Criteria

POST /api/v1/users consistently returns a 2xx or a structured 4xx, not a socket hang up.

Plan B: Emergency token baseline enforcement

Verify security.admin_whitelist contents before Test 1; ensure the test IP is not whitelisted.
Confirm security.acl.enabled and feature.cerberus.enabled are both true after the setup PATCH.
Re-run the baseline /api/v1/security/status request and verify 403 before applying the emergency token.

Acceptance Criteria

Baseline /api/v1/security/status returns 403 when ACL + Cerberus are enabled.
Emergency token bypass returns 200 for the same endpoint.

Phase 3 – Validation Plan

Re-run Chromium E2E suite.
Verify the two failing tests pass.
Capture updated results and include status evidence in QA report.

Risks & Notes

If security.admin_whitelist persists across suites, ACL baseline assertions will be bypassed.
If Cerberus runs before auth, ACL cannot distinguish authenticated admin setup calls from unauthenticated setup calls.

Next Steps

Execute the focused remediation steps above.
Re-run E2E tests and update docs/reports/qa_report.md.

Status: SUSPENDED - Supersededby critical production bug (Settings Query ID Leakage) Archive Date: 2026-01-28

5.1 KiB Raw Blame History Unescape Escape