kitos/Aegis
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix(security): resolve Snyk Code findings — Tar Slip, Path Traversal, Open Redirect, XSS
Aegis CI / lint-and-test (push) Has been cancelled
Details
Snyk Security Scan / Python vulnerabilities (backend) (push) Has been cancelled
Details
Snyk Security Scan / npm vulnerabilities (frontend) (push) Has been cancelled
Details
Snyk Security Scan / Docker image vulnerabilities (backend) (push) Has been cancelled
Details

Browse Source 
Tar Slip (CWE-22) — 3 import services:
  threat_actor, lolbas, caldera: add path validation before extractall()
  to prevent malicious zip members with ../ escaping the target directory.
  (sigma, elastic, atomic already had this protection)

Path Traversal (CWE-23) — professional_reports.py:
  Add _assert_safe_report_path() check on all 5 report endpoints to
  verify the generated filepath stays within REPORT_OUTPUT_DIR.

Open Redirect (CWE-601) — sso.py:
  Validate IdP redirect URL scheme (must be http/https) before
  issuing RedirectResponse, blocking javascript: and data: redirects.

DOM XSS (CWE-79) — 4 frontend pages:
  Create src/utils/url.ts with safeUrl() that rejects non-http/https
  protocols; apply to actor.mitre_url, ref.url, intel.url.
  Sanitize framework name to alphanumeric-only before DOM insertion.
  Restrict evidence MIME types to an explicit safe allowlist (png/jpg/gif/webp).

Hardcoded credentials (CWE-798):
  verify_gaps.py, create_wiki.py: replace literal passwords with
  environment variable reads (AEGIS_ADMIN_PASSWORD, GITEA_PASSWORD).
This commit is contained in:
kitos
2026-06-12 13:15:36 +02:00
parent f54dc0d342
commit dcd4bebc92
12 changed files with 82 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files
scripts/verify_gaps.py
+4 -2
View File
@@ -4,9 +4,11 @@ Verify Phase 13 gap fixes:
2. evaluate_all_rules creates in-app notifications for admins
3. webhook dispatch_webhook_targeted exists and is callable
"""
import os
import requests, sys
BASE = "http://localhost:8000/api/v1"
BASE = os.environ.get("AEGIS_BASE_URL", "http://localhost:8000/api/v1")
ADMIN_PASSWORD = os.environ.get("AEGIS_ADMIN_PASSWORD", "admin123")
PASS = "\033[92m✓\033[0m"
FAIL = "\033[91m✗\033[0m"
passed = 0
@@ -51,7 +53,7 @@ def main():
# ── Gap 2: in-app notifications dispatched ────────────────────────────────
print("── Gap 2: In-app notifications on alert fire ──")
tok = requests.post(f"{BASE}/auth/login",
data={"username": "administrator", "password": "admin123"})
data={"username": "administrator", "password": ADMIN_PASSWORD})
if tok.status_code != 200:
print(f" Login failed: {tok.text}"); sys.exit(1)
h = {"Authorization": f"Bearer {tok.json().get('access_token')}"}