fix: resolve 20 security vulnerabilities from comprehensive audit

Critical (1-3): - Replace hardcoded admin credentials with secure auto-generation (seed.py) - Enforce SECRET_KEY configuration, fail in production if missing (config.py) - Add Zip Slip and Zip Bomb protection to all ZIP import services High/Medium (4-9): - Add 50MB file size limit and extension whitelist to evidence uploads - Configure CORS origins via environment variable instead of hardcoded - Migrate JWT storage from localStorage to HttpOnly cookies (frontend+backend) - Add rate limiting (5/min) on login endpoint via slowapi - Replace generic dict payloads with Pydantic schemas (mass assignment) Medium (10-17): - Check is_active on login to prevent disabled users from authenticating - Sanitize exception messages in API responses (system, data_sources) - Escape LIKE wildcards in all ilike search filters across 8 routers - Run Docker container as non-root user (appuser) - Make MINIO_SECURE configurable via environment variable - Add password complexity policy (12+ chars, upper/lower/digit/special) - Implement JWT token revocation via in-memory blacklist + reduce TTL to 15min - Replace xml.etree with defusedxml to prevent Billion Laughs attacks Low (18-20): - Add security headers to Nginx (CSP, X-Frame-Options, HSTS-ready, etc.) - Disable Swagger UI/ReDoc/OpenAPI in production - Restrict /health endpoint to internal networks via Nginx ACL Also: rewrite install.sh as interactive wizard for guided deployment, fix test-from-template validation error (technique_id UUID vs MITRE ID)
2026-02-11 08:56:26 +01:00
parent e7e63161e8
commit 64d64080e0
36 changed files with 1154 additions and 311 deletions
--- a/backend/app/routers/tests.py
+++ b/backend/app/routers/tests.py
@@ -109,7 +109,8 @@ def list_tests(
    if technique_id:
        query = query.filter(Test.technique_id == technique_id)
    if platform:
-        query = query.filter(Test.platform.ilike(f"%{platform}%"))
+        from app.utils import escape_like
+        query = query.filter(Test.platform.ilike(f"%{escape_like(platform)}%"))
    if created_by:
        query = query.filter(Test.created_by == created_by)
    if pending_validation_side == "red":
@@ -200,15 +201,25 @@ def create_test_from_template(
            detail=f"TestTemplate with id '{payload.template_id}' not found",
        )

-    technique = db.query(Technique).filter(Technique.id == payload.technique_id).first()
+    # Resolve technique_id: accept both UUID and MITRE ID (e.g. "T1059.001")
+    technique = None
+    try:
+        technique_uuid = uuid.UUID(payload.technique_id)
+        technique = db.query(Technique).filter(Technique.id == technique_uuid).first()
+    except ValueError:
+        pass
+
+    if technique is None:
+        technique = db.query(Technique).filter(Technique.mitre_id == payload.technique_id).first()
+
    if technique is None:
        raise HTTPException(
            status_code=status.HTTP_404_NOT_FOUND,
-            detail=f"Technique with id '{payload.technique_id}' not found",
+            detail=f"Technique '{payload.technique_id}' not found",
        )

    test = Test(
-        technique_id=payload.technique_id,
+        technique_id=technique.id,
        name=template.name,
        description=template.description,
        platform=template.platform,