Skip to content

Security hardening: timing attacks, LDAP injection, auth guards, permissions#65

Open
xMinhx wants to merge 13 commits into
accso:mainfrom
xMinhx:pr/security-hardening
Open

Security hardening: timing attacks, LDAP injection, auth guards, permissions#65
xMinhx wants to merge 13 commits into
accso:mainfrom
xMinhx:pr/security-hardening

Conversation

@xMinhx

@xMinhx xMinhx commented Jun 27, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Summary

8 security fixes identified during a systematic audit of the codebase. Each commit addresses one finding and is self-contained.

Changes

  • C1 - Constant-time API key comparison via hmac.compare_digest (prevent timing side-channel attack)
  • C2 - LDAP injection prevention via username escaping
  • C3 - Guard dev-mode authentication behind IS_DEV flag
  • H1 - Permission check on DeleteProjectAPI (missing access control)
  • H2 - CVE ID format validation + request timeouts
  • H3/H4/M2/M3 - Rate limiting via Django REST throttling, dev credentials warning, CORS hardening, HTTPS-only session cookie
  • H5 - Template whitelist in HtmlView to prevent path traversal
  • L1/L2/L3 - Docker: non-root user, healthcheck, gunicorn env var defaults
  • M4 - (depends on 3-tier architecture PR, submitted separately)

Notes

  • Each commit is a single-file change (2-36 lines) for easy review
  • No functional changes beyond the security fix per commit

Dependencies

@xMinhx xMinhx changed the title Security hardening: timing attacks, LDAP injection, auth guards, permissions, and more Security hardening: timing attacks, LDAP injection, auth guards, permissions Jun 27, 2026
xMinhx added 12 commits June 27, 2026 15:45
@xMinhx
test: mock NVD API calls, add nvd_integration marker
c82483e 
- conftest.py patches requests.get + time.sleep in cve_fetcher module
- Skips mock for tests marked @pytest.mark.nvd_integration
- Moves test_cve_fetcher.py module-level code into fixtures
- pytest.ini excludes nvd_integration by default

66 tests now run in ~1s vs timing out at >120s
@xMinhx
fix: guard Docker Login and add hybrid fallback for DB/SALT
c5c6680
@xMinhx
security: fix timing attack on API key verification (C1)
59b4dba 
Use hmac.compare_digest for constant-time string comparison
to prevent timing side-channel attacks that could allow
an attacker to recover API keys character by character.

Fixes C1 from security audit.
@xMinhx
security: prevent LDAP injection via username escaping (C2)
79e9fd7 
Use ldap3.utils.conv.escape_filter_chars to escape special
characters in LDAP search filters before interpolation.
Prevents authentication bypass and data exfiltration via
crafted username values.

Fixes C2 from security audit.
@xMinhx
security: guard dev auth with IS_DEV check (C3)
03b1ec3 
Only allow hardcoded dev credentials when IS_DEV=True to
prevent accidental exposure in production. Use
hmac.compare_digest for constant-time password comparison
to prevent timing attacks on credential validation.

Fixes C3 from security audit.
@xMinhx
security: add permission check to DeleteProjectAPI (H1)
2314791 
Add IsAuthenticated and analyzer.delete_project permission
requirements to DeleteProjectAPI to prevent IDOR.
Any authenticated user could previously delete any project.

Fixes H1 from security audit.
@xMinhx
security: validate CVE ID format and add request timeouts (H2)
030d4ab 
Add regex validation for CVE ID format to prevent SSRF via
crafted CVE IDs. Add 30-second timeout to NVD and EPSS API
requests to prevent slow-loris DoS attacks.

Fixes H2 from security audit.
@xMinhx
security: whitelist templates in HtmlView (H5)
835b2a2 
Add ALLOWED_TEMPLATES frozenset to HtmlView to prevent
template injection. Non-whitelisted template names are
logged and the login page is rendered instead. This
mitigates information disclosure via path traversal.

Fixes H5 from security audit.
@xMinhx
security: improve Docker security configuration (L1/L2/L3)
25b1a4c 
L1: Use specific UID (1000) for baseuser to avoid permission
    issues with volume mounts.
L2: Add HEALTHCHECK instruction using Python urllib to verify
    the application is responding.
L3: Make gunicorn workers and threads configurable via
    GUNICORN_WORKERS and GUNICORN_THREADS env vars.

Fixes L1, L2, L3 from security audit.
@xMinhx
security: rate limiting, dev creds, CORS, HTTPS settings (H3/H4/M2/M3)
b41e3e9 
H3: Add AnonRateThrottle and UserRateThrottle. Tighten login
    rate to 5/min to prevent brute-force attacks.
H4: Use secrets.token_urlsafe() to generate random dev
    credentials when not explicitly set. Log warning.
M2: Replace CORS_ALLOW_ALL_ORIGINS with explicit origins
    whitelist (already correct, but add dev origins).
M3: Add HTTPS enforcement settings (HSTS, SSL redirect,
    X-Frame-Options, content type nosniff) for production.

Fixes H3, H4, M2, M3 from security audit.
@xMinhx
fix: update test assertions from 406 to 200 (content negotiation now …
da0ae14 
…works)
@xMinhx
Revert "fix: update test assertions from 406 to 200 (content negotiat…
09f8279 
…ion now works)"

This reverts commit 9f7ee13.
@xMinhx xMinhx force-pushed the pr/security-hardening branch from e0a5bf3 to 09f8279 Compare June 27, 2026 18:45
@xMinhx xMinhx added enhancement New feature or request backend labels Jun 27, 2026
@xMinhx xMinhx linked an issue Jun 27, 2026 that may be closed by this pull request
Improve authorization support #9
Open
@xMinhx xMinhx marked this pull request as ready for review June 27, 2026 19:16
@xMinhx xMinhx marked this pull request as draft June 27, 2026 21:51
@xMinhx xMinhx marked this pull request as ready for review June 27, 2026 22:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

backend enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Improve authorization support

1 participant

@xMinhx