Kitos
64d64080e0
Critical (1-3): - Replace hardcoded admin credentials with secure auto-generation (seed.py) - Enforce SECRET_KEY configuration, fail in production if missing (config.py) - Add Zip Slip and Zip Bomb protection to all ZIP import services High/Medium (4-9): - Add 50MB file size limit and extension whitelist to evidence uploads - Configure CORS origins via environment variable instead of hardcoded - Migrate JWT storage from localStorage to HttpOnly cookies (frontend+backend) - Add rate limiting (5/min) on login endpoint via slowapi - Replace generic dict payloads with Pydantic schemas (mass assignment) Medium (10-17): - Check is_active on login to prevent disabled users from authenticating - Sanitize exception messages in API responses (system, data_sources) - Escape LIKE wildcards in all ilike search filters across 8 routers - Run Docker container as non-root user (appuser) - Make MINIO_SECURE configurable via environment variable - Add password complexity policy (12+ chars, upper/lower/digit/special) - Implement JWT token revocation via in-memory blacklist + reduce TTL to 15min - Replace xml.etree with defusedxml to prevent Billion Laughs attacks Low (18-20): - Add security headers to Nginx (CSP, X-Frame-Options, HSTS-ready, etc.) - Disable Swagger UI/ReDoc/OpenAPI in production - Restrict /health endpoint to internal networks via Nginx ACL Also: rewrite install.sh as interactive wizard for guided deployment, fix test-from-template validation error (technique_id UUID vs MITRE ID)
25 lines
271 B
Plaintext
25 lines
271 B
Plaintext
fastapi
|
|
uvicorn[standard]
|
|
sqlalchemy
|
|
psycopg2-binary
|
|
alembic
|
|
python-jose[cryptography]
|
|
passlib[bcrypt]
|
|
bcrypt==4.0.1
|
|
boto3
|
|
apscheduler
|
|
requests
|
|
pyyaml
|
|
pySigma
|
|
toml
|
|
taxii2-client
|
|
python-multipart
|
|
pydantic-settings
|
|
slowapi
|
|
defusedxml
|
|
|
|
# Testing
|
|
pytest
|
|
pytest-asyncio
|
|
httpx
|