fix: resolve 20 security vulnerabilities from comprehensive audit

Critical (1-3): - Replace hardcoded admin credentials with secure auto-generation (seed.py) - Enforce SECRET_KEY configuration, fail in production if missing (config.py) - Add Zip Slip and Zip Bomb protection to all ZIP import services High/Medium (4-9): - Add 50MB file size limit and extension whitelist to evidence uploads - Configure CORS origins via environment variable instead of hardcoded - Migrate JWT storage from localStorage to HttpOnly cookies (frontend+backend) - Add rate limiting (5/min) on login endpoint via slowapi - Replace generic dict payloads with Pydantic schemas (mass assignment) Medium (10-17): - Check is_active on login to prevent disabled users from authenticating - Sanitize exception messages in API responses (system, data_sources) - Escape LIKE wildcards in all ilike search filters across 8 routers - Run Docker container as non-root user (appuser) - Make MINIO_SECURE configurable via environment variable - Add password complexity policy (12+ chars, upper/lower/digit/special) - Implement JWT token revocation via in-memory blacklist + reduce TTL to 15min - Replace xml.etree with defusedxml to prevent Billion Laughs attacks Low (18-20): - Add security headers to Nginx (CSP, X-Frame-Options, HSTS-ready, etc.) - Disable Swagger UI/ReDoc/OpenAPI in production - Restrict /health endpoint to internal networks via Nginx ACL Also: rewrite install.sh as interactive wizard for guided deployment, fix test-from-template validation error (technique_id UUID vs MITRE ID)
2026-02-11 08:56:26 +01:00
parent e7e63161e8
commit 64d64080e0
36 changed files with 1154 additions and 311 deletions
--- a/backend/app/config.py
+++ b/backend/app/config.py
@@ -1,20 +1,46 @@
+import os
+import secrets
+import warnings
+
 from pydantic_settings import BaseSettings

+# ---------------------------------------------------------------------------
+# Detect environment: "production" when AEGIS_ENV or common indicators are set
+# ---------------------------------------------------------------------------
+_is_production = os.environ.get("AEGIS_ENV", "").lower() == "production" or bool(
+    os.environ.get("SECRET_KEY")  # having an explicit SECRET_KEY hints prod
+)
+

 class Settings(BaseSettings):
    DATABASE_URL: str = "postgresql://postgres:postgres@postgres:5432/attackdb"
-    SECRET_KEY: str = "change-me-in-production"
+
+    # ── Security ──────────────────────────────────────────────────────
+    # SECRET_KEY has NO safe default.  In development a random key is
+    # generated at startup (tokens invalidate on restart — acceptable
+    # for local dev).  In production it MUST be supplied via env/.env
+    # so tokens survive restarts.
+    SECRET_KEY: str = ""
    ALGORITHM: str = "HS256"
-    ACCESS_TOKEN_EXPIRE_MINUTES: int = 60
+    ACCESS_TOKEN_EXPIRE_MINUTES: int = 15  # short-lived for security; configurable via env
+
+    # ── CORS ─────────────────────────────────────────────────────────
+    # Comma-separated list of allowed origins, or a JSON array.
+    # In dev this defaults to common local ports; in production set it
+    # to the actual frontend domain(s).
+    CORS_ORIGINS: str = "http://localhost:3000,http://localhost:5173"
+
+    # ── MinIO / S3 ───────────────────────────────────────────────────
    MINIO_ENDPOINT: str = "minio:9000"
    MINIO_ACCESS_KEY: str = "minioadmin"
    MINIO_SECRET_KEY: str = "minioadmin"
    MINIO_BUCKET: str = "evidence"
+    MINIO_SECURE: bool = False  # True → use HTTPS to connect to MinIO

-    # Re-testing
+    # ── Re-testing ───────────────────────────────────────────────────
    MAX_RETEST_COUNT: int = 3  # maximum automatic retests per original test

-    # Scoring weights (must sum to 100)
+    # ── Scoring weights (must sum to 100) ────────────────────────────
    SCORING_WEIGHT_TESTS: int = 40
    SCORING_WEIGHT_DETECTION_RULES: int = 20
    SCORING_WEIGHT_D3FEND: int = 15
@@ -26,3 +52,29 @@ class Settings(BaseSettings):


 settings = Settings()
+
+# ---------------------------------------------------------------------------
+# Post-init validation for SECRET_KEY
+# ---------------------------------------------------------------------------
+_UNSAFE_SECRETS = {
+    "",
+    "change-me-in-production",
+    "change-me-in-production-use-a-long-random-string",
+}
+
+if settings.SECRET_KEY in _UNSAFE_SECRETS:
+    if _is_production:
+        raise RuntimeError(
+            "CRITICAL: SECRET_KEY is not configured.  "
+            "Set a strong random value (>= 32 chars) via the SECRET_KEY "
+            "environment variable or in your .env file before running in "
+            "production.  Example:  openssl rand -hex 32"
+        )
+    # Development: auto-generate an ephemeral key and warn
+    settings.SECRET_KEY = secrets.token_hex(32)
+    warnings.warn(
+        "SECRET_KEY was not set — using an auto-generated ephemeral key. "
+        "JWT tokens will be invalidated on every restart.  "
+        "Set SECRET_KEY in your environment for persistent sessions.",
+        stacklevel=2,
+    )