fix: resolve 20 security vulnerabilities from comprehensive audit

Critical (1-3): - Replace hardcoded admin credentials with secure auto-generation (seed.py) - Enforce SECRET_KEY configuration, fail in production if missing (config.py) - Add Zip Slip and Zip Bomb protection to all ZIP import services High/Medium (4-9): - Add 50MB file size limit and extension whitelist to evidence uploads - Configure CORS origins via environment variable instead of hardcoded - Migrate JWT storage from localStorage to HttpOnly cookies (frontend+backend) - Add rate limiting (5/min) on login endpoint via slowapi - Replace generic dict payloads with Pydantic schemas (mass assignment) Medium (10-17): - Check is_active on login to prevent disabled users from authenticating - Sanitize exception messages in API responses (system, data_sources) - Escape LIKE wildcards in all ilike search filters across 8 routers - Run Docker container as non-root user (appuser) - Make MINIO_SECURE configurable via environment variable - Add password complexity policy (12+ chars, upper/lower/digit/special) - Implement JWT token revocation via in-memory blacklist + reduce TTL to 15min - Replace xml.etree with defusedxml to prevent Billion Laughs attacks Low (18-20): - Add security headers to Nginx (CSP, X-Frame-Options, HSTS-ready, etc.) - Disable Swagger UI/ReDoc/OpenAPI in production - Restrict /health endpoint to internal networks via Nginx ACL Also: rewrite install.sh as interactive wizard for guided deployment, fix test-from-template validation error (technique_id UUID vs MITRE ID)
2026-02-11 08:56:26 +01:00
parent e7e63161e8
commit 64d64080e0
36 changed files with 1154 additions and 311 deletions
--- a/backend/app/dependencies/auth.py
+++ b/backend/app/dependencies/auth.py
@@ -2,25 +2,32 @@
 Authentication and RBAC dependencies for FastAPI.

 Provides:
- ``get_current_user``: decodes JWT, fetches user from DB, raises 401 on failure.
+- ``get_current_user``: decodes JWT from HttpOnly cookie (preferred) or
+  Authorization header (fallback), fetches user from DB, raises 401 on failure.
 - ``require_role``: factory that returns a dependency enforcing a specific role
  (admins always pass).
 """

-from fastapi import Depends, HTTPException, status
+from typing import Optional
+
+from fastapi import Cookie, Depends, HTTPException, status
 from fastapi.security import OAuth2PasswordBearer
 from jose import JWTError, jwt
 from sqlalchemy.orm import Session

+from app.auth import is_token_blacklisted
 from app.config import settings
 from app.database import get_db
 from app.models.user import User

 # ---------------------------------------------------------------------------
-# OAuth2 scheme
+# OAuth2 scheme (reads Authorization header — used as fallback / Swagger UI)
 # ---------------------------------------------------------------------------

-oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/api/v1/auth/login")
+oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/api/v1/auth/login", auto_error=False)
+
+# Cookie name — must match the one set in the auth router
+_COOKIE_NAME = "aegis_token"

 # ---------------------------------------------------------------------------
 # Current-user dependency
@@ -28,12 +35,19 @@ oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/api/v1/auth/login")


 async def get_current_user(
-    token: str = Depends(oauth2_scheme),
+    aegis_token: Optional[str] = Cookie(None),
+    bearer_token: Optional[str] = Depends(oauth2_scheme),
    db: Session = Depends(get_db),
 ) -> User:
-    """Decode the JWT *token*, look up the user in *db*, and return it.
+    """Decode the JWT, look up the user in *db*, and return it.
+
+    Token resolution order:
+    1. ``aegis_token`` **HttpOnly cookie** (preferred — immune to XSS).
+    2. ``Authorization: Bearer <token>`` header (fallback for API clients
+       and Swagger UI).

    Raises :class:`~fastapi.HTTPException` **401** when:
+    - no token is found in either location,
    - the token cannot be decoded,
    - the ``sub`` claim is missing, or
    - no matching active user exists in the database.
@@ -44,6 +58,11 @@ async def get_current_user(
        headers={"WWW-Authenticate": "Bearer"},
    )

+    # Prefer cookie, fall back to header
+    token = aegis_token or bearer_token
+    if token is None:
+        raise credentials_exception
+
    try:
        payload = jwt.decode(
            token,
@@ -53,11 +72,15 @@ async def get_current_user(
        username: str | None = payload.get("sub")
        if username is None:
            raise credentials_exception
+        # Check token blacklist (revoked tokens)
+        jti: str | None = payload.get("jti")
+        if jti and is_token_blacklisted(jti):
+            raise credentials_exception
    except JWTError:
        raise credentials_exception

    user = db.query(User).filter(User.username == username).first()
-    if user is None:
+    if user is None or not user.is_active:
        raise credentials_exception

    return user