fix: full security audit remediation — P0/P1/P2/P3 fixes + 1020 passing tests

P0 — Broken functionality: - Fix 12+ endpoints with wrong manager method signatures (email/calendar/file/routing) - Fix email_manager.delete_email_user() missing domain arg - Fix cell-link DNS forwarding wiped on every peer change (generate_corefile now accepts cell_links param; add/remove_cell_dns_forward no longer clobber the file) - Fix Flask SECRET_KEY regenerating on every restart (persisted to DATA_DIR) - Fix _next_peer_ip exhaustion returning 500 instead of 409 - Fix ConfigManager Caddyfile path (/app/config-caddy/) - Fix UI double-add and wrong-key peer bugs in Peers.jsx / WireGuard.jsx - Remove hardcoded credentials from Dashboard.jsx P1 — Security: - CSRF token validation on all POST/PUT/DELETE/PATCH to /api/* (double-submit pattern) - enforce_auth: 503 only when users file readable but empty; never bypass on IOError - WireGuard add_cell_peer: validate pubkey, name, endpoint against strict regexes - DNS add_cell_dns_forward: validate IP and domain; reject injection chars - DNS zone write: realpath containment + record content validation - iptables comment /32 suffix prevents substring match deleting wrong peer rules - is_local_request() trusts only loopback + 172.16.0.0/12 (Docker bridge) - POST /api/containers: volume allow-list prevents arbitrary host mounts - file_manager: bcrypt ($2b→$2y) for WebDAV; realpath containment in delete_user - email/calendar: stop persisting plaintext passwords in user records - routing_manager: validate IPs, networks, and interface names - peer_registry: write peers.json at mode 0o600 - vault_manager: Fernet key file at mode 0o600 - CORS: lock down to explicit origin list - domain/cell_name validation: reject newline, brace, semicolon injection chars P2 — Architecture: - Peer add: rollback registry entry if firewall rules fail post-add - restart_service(): base class now calls _restart_container(); email and calendar managers call cell-mail / cell-radicale respectively - email/calendar managers sync user list (no passwords) to cell_config.json - Pending-restart flag cleared only after helper subprocess exits with code 0 - docker-compose.yml: add config-caddy volume to API container P3 — Tests (854 → 1020): - Fill test_email_endpoints.py, test_calendar_endpoints.py, test_network_endpoints.py, test_routing_endpoints.py - New: test_peer_management_update.py, test_peer_management_edge_cases.py, test_input_validation.py, test_enforce_auth_configured.py, test_cell_link_dns.py, test_logs_endpoints.py, test_cells_endpoints.py, test_is_local_request_per_endpoint.py, test_caddy_routing.py - E2E conftest: skip WireGuard suite when wg-quick absent - Update existing tests to match fixed signatures and comment formats Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-27 11:30:21 -04:00
parent 0c12e3fc97
commit a43f9fbf0d
47 changed files with 4578 additions and 579 deletions
@@ -14,6 +14,7 @@ from datetime import datetime
 from typing import Dict, List, Optional, Tuple, Any
 import shutil
 import hashlib
+import bcrypt
 from base_service_manager import BaseServiceManager

 logger = logging.getLogger(__name__)
@@ -103,9 +104,18 @@ umask = 022
        if not username or not password:
            logger.error("Username and password must not be empty")
            return False
+        # Validate username — prevents path traversal in user_dir join below and
+        # injection of newlines / colons into the htpasswd-format auth file.
+        if not isinstance(username, str) or not re.match(r'^[A-Za-z0-9._-]{1,64}$', username):
+            logger.error(f"create_user: invalid username {username!r}")
+            return False
        try:
-            # Create user directory
-            user_dir = os.path.join(self.files_dir, username)
+            # Create user directory (containment check)
+            user_dir = os.path.realpath(os.path.join(self.files_dir, username))
+            files_root = os.path.realpath(self.files_dir)
+            if not user_dir.startswith(files_root + os.sep):
+                logger.error(f"create_user: path traversal for username {username!r}")
+                return False
            os.makedirs(user_dir, exist_ok=True)
            
            # Create default folders
@@ -115,8 +125,12 @@ umask = 022
            # Add user to auth file
            auth_file = os.path.join(self.webdav_dir, 'users')
            
-            # Generate password hash
-            password_hash = hashlib.sha256(password.encode()).hexdigest()
+            # Generate bcrypt hash; convert $2b$ -> $2y$ for Apache htpasswd compatibility
+            # (bytemark/webdav is Apache-based; htpasswd-bcrypt uses $2y$ prefix).
+            bcrypt_hash = bcrypt.hashpw(password.encode('utf-8'), bcrypt.gensalt()).decode('utf-8')
+            if bcrypt_hash.startswith('$2b$'):
+                bcrypt_hash = '$2y$' + bcrypt_hash[4:]
+            password_hash = bcrypt_hash
            
            with open(auth_file, 'a') as f:
                f.write(f"{username}:{password_hash}\n")
@@ -133,6 +147,10 @@ umask = 022
        if not username:
            logger.error("Username must not be empty")
            return False
+        # Validate username before any auth-file rewrite or filesystem ops
+        if not isinstance(username, str) or not re.match(r'^[A-Za-z0-9._-]{1,64}$', username):
+            logger.error(f"delete_user: invalid username {username!r}")
+            return False
        try:
            # Remove from auth file
            auth_file = os.path.join(self.webdav_dir, 'users')
@@ -145,8 +163,13 @@ umask = 022
                        if not line.startswith(f"{username}:"):
                            f.write(line)
            
-            # Remove user directory
-            user_dir = os.path.join(self.files_dir, username)
+            # Remove user directory — containment check prevents
+            # username='..' or 'foo/../../etc' from escaping files_dir.
+            user_dir = os.path.realpath(os.path.join(self.files_dir, username))
+            files_root = os.path.realpath(self.files_dir)
+            if not user_dir.startswith(files_root + os.sep):
+                logger.error(f"delete_user: path traversal for username {username!r}")
+                return False
            if os.path.exists(user_dir):
                shutil.rmtree(user_dir)
            
@@ -460,8 +483,15 @@ umask = 022
        if not username or not backup_path:
            logger.error("Username and backup_path must not be empty")
            return False
+        if not isinstance(username, str) or not re.match(r'^[A-Za-z0-9._-]{1,64}$', username):
+            logger.error(f"backup_user_files: invalid username {username!r}")
+            return False
        try:
-            user_dir = os.path.join(self.files_dir, username)
+            user_dir = os.path.realpath(os.path.join(self.files_dir, username))
+            files_root = os.path.realpath(self.files_dir)
+            if not user_dir.startswith(files_root + os.sep):
+                logger.error(f"backup_user_files: path traversal for username {username!r}")
+                return False
            
            if os.path.exists(user_dir):
                shutil.make_archive(backup_path, 'zip', user_dir)
@@ -480,8 +510,15 @@ umask = 022
        if not username or not backup_path:
            logger.error("Username and backup_path must not be empty")
            return False
+        if not isinstance(username, str) or not re.match(r'^[A-Za-z0-9._-]{1,64}$', username):
+            logger.error(f"restore_user_files: invalid username {username!r}")
+            return False
        try:
-            user_dir = os.path.join(self.files_dir, username)
+            user_dir = os.path.realpath(os.path.join(self.files_dir, username))
+            files_root = os.path.realpath(self.files_dir)
+            if not user_dir.startswith(files_root + os.sep):
+                logger.error(f"restore_user_files: path traversal for username {username!r}")
+                return False
            
            # Remove existing user directory
            if os.path.exists(user_dir):