Harden input validation (security audit)#7
Merged
Conversation
…ety state out of /tmp
Security audit follow-up. The toolkit is parameterized non-interactively (panel/
orchestrator), so unvalidated ENV is a real vector, not just root-to-root.
- Validate SYN/UDP/CONN/ICMP/PORTSCAN/SAFETY_DELAY as uint and SSH_BAN_TIME/
PORTSCAN_BAN_TIME as durations before they hit the nft ruleset; SAFETY_DELAY also
reached an sh -c (the only shell-eval sink) — now validated + passed positionally.
- WHITELIST IPv6 branch now strictly validated like IPv4 (previously any ':'-string
went verbatim into the nft 'elements = {…}' heredoc — rule injection).
- Safety-timer pid/log moved from predictable /tmp to root-only $STATE_DIR (symlink/
TOCTOU), with a '! -L' check before reading the pid.
- CrowdSec installer curl -s -> -fsSL (fail closed on HTTP error/redirect).
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
NA_REF is interpolated into the module download URL; restrict to [A-Za-z0-9._/-] and reject '..' so it can't be steered to another repo. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security-хардинг входной валидации (по итогам аудита)
Прогнал аудит двумя независимыми аудиторами (бэкдоры/эксфильтрация + инъекции/привилегии). Бэкдоров, эксфильтрации, скрытых кредов — нет. Реальные находки — пробелы валидации ENV; т.к. тулкит параметризуется неинтерактивно из панели/оркестратора, это не «root сам себе», а вектор компрометации ноды тем, кто заполняет поля.
Фиксы
SAFETY_DELAY→sh -c(единственный shell-eval-сток): валидируется как uint + передаётся позиционным аргументом.WHITELISTIPv6: раньше любая строка с:уходила дословно в nftelements = { … }(инъекция правил) — теперь строгий regex, как у IPv4.*_BAN_TIME(SYN_RATE/CONN_LIMIT/ICMP_*/PORTSCAN_*/…): валидируются перед попаданием в nft-heredoc.NA_REF(install.sh):^[A-Za-z0-9._/-]+$без..— раньше допускал path-traversal в URL модулей./tmp→ root-only$STATE_DIR(симлинк/TOCTOU),! -Lперед чтением pid.curl -s→-fsSL(fail-closed).Образцовое — не трогал
Проверка полного fingerprint ключа XanMod,
validate_port_list/_is_port,nft -cпередnft -f,signed-by, single-quotedsh -cв optimize.sh — оставлено как есть.Не закрыто (вне scope, рекомендация): жёсткий пиннинг CrowdSec через их APT-репо вместо curl|bash; SHA-пиннинг модулей в install.sh;
deb.xanmod.orgпо https.