Security Sprint M7.1: Complete P1 Security Fixes (#284-#287) #320

Merged

jason.woltje merged 4 commits from fix/284-287-p1-security-fixes into develop 2026-02-04 03:54:02 +00:00

Conversation 0 Commits 4 Files Changed 80 +2551 -35

jason.woltje commented 2026-02-04 03:53:06 +00:00

Owner

Copy Link

Completes M7.1 Remediation Sprint P1 security fixes

Completes M7.1 Remediation Sprint P1 security fixes

jason.woltje added 4 commits 2026-02-04 03:53:06 +00:00

feat(#284): Reduce timestamp validation window to 60s with replay attack prevention ... 3bba2f1c33

Security improvements:
- Reduce timestamp tolerance from 5 minutes to 60 seconds
- Add nonce-based replay attack prevention using Redis
- Store signature nonce with 60s TTL matching tolerance window
- Reject replayed messages with same signature

Changes:
- Update SignatureService.TIMESTAMP_TOLERANCE_MS to 60s
- Add Redis client injection to SignatureService
- Make verifyConnectionRequest async for nonce checking
- Create RedisProvider for shared Redis client
- Update ConnectionService to await signature verification
- Add comprehensive test coverage for replay prevention

Part of M7.1 Remediation Sprint P1 security fixes.

Fixes #284

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

feat(#285): Add input sanitization for XSS prevention ... 01639fff95

Security improvements:
- Create sanitization utility using sanitize-html library
- Add @Sanitize() and @SanitizeObject() decorators for DTOs
- Apply sanitization to vulnerable fields:
  - Connection rejection/disconnection reasons
  - Connection metadata
  - Identity linking metadata
  - Command payloads
- Remove script tags, event handlers, javascript: URLs
- Prevent data exfiltration, CSS-based XSS, SVG-based XSS

Changes:
- Add sanitize.util.ts with recursive sanitization functions
- Add sanitize.decorator.ts for class-transformer integration
- Update connection.dto.ts with sanitization decorators
- Update identity-linking.dto.ts with sanitization decorators
- Update command.dto.ts with sanitization decorators
- Add comprehensive test coverage including attack vectors

Part of M7.1 Remediation Sprint P1 security fixes.

Fixes #285

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

feat(#286): Add workspace access validation to federation endpoints ... 38695b3bb8

Security improvements:
- Apply WorkspaceGuard to all workspace-scoped federation endpoints
- Enforce workspace membership verification via Prisma
- Prevent cross-workspace access attacks
- Add comprehensive test coverage for workspace isolation

Changes:
- Add WorkspaceGuard to federation connection endpoints:
  - POST /connections/initiate
  - POST /connections/:id/accept
  - POST /connections/:id/reject
  - POST /connections/:id/disconnect
  - GET /connections
  - GET /connections/:id
- Add workspace-access.integration.spec.ts with tests for:
  - Workspace membership verification
  - Cross-workspace access prevention
  - Multiple workspace ID sources (header, param, body)

Part of M7.1 Remediation Sprint P1 security fixes.

Fixes #286

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

feat(#287): Add redaction utility for sensitive data in logs ... e151d09531

Security improvements:
- Create redaction utility to prevent PII leakage in logs
- Redact sensitive fields: privateKey, tokens, passwords, metadata, payloads
- Redact user IDs: convert to "user-***"
- Redact instance IDs: convert to "instance-***"
- Support recursive redaction for nested objects and arrays

Changes:
- Add redact.util.ts with redaction functions
- Add comprehensive test coverage for redaction
- Support for:
  - Sensitive field detection (privateKey, token, etc.)
  - User ID redaction (userId, remoteUserId, localUserId, user.id)
  - Instance ID redaction (instanceId, remoteInstanceId, instance.id)
  - Nested object and array redaction
  - Primitive and null/undefined handling

Next steps:
- Apply redactSensitiveData() to all logger calls in federation services
- Use debug level for detailed logs with sensitive data

Part of M7.1 Remediation Sprint P1 security fixes.

Refs #287

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

jason.woltje merged commit c59ab66d94 into develop 2026-02-04 03:54:02 +00:00

jason.woltje deleted branch fix/284-287-p1-security-fixes 2026-02-04 03:54:02 +00:00

jason.woltje referenced this issue from a commit 2026-02-04 03:54:03 +00:00

Merge pull request 'Security Sprint M7.1: Complete P1 Security Fixes (#284-#287)' (#320) from fix/284-287-p1-security-fixes into develop

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

ai

AI/LLM integration

api

Backend/API work

api

auth

Authentication

database

database

Database/schema work

devops

Docker/deployment

docs

Documentation

frontend

graph

knowledge-module

migration

Data migration

orchestrator

Orchestrator service (apps/orchestrator/)

p0

Critical priority

p1

High priority

p2

Medium priority

p3

Low priority

performance

Performance work

phase-1

phase-2

phase-3

phase-4

phase-5

plugin

MoltBot plugin work

search

security

Security-related

setup

Initial setup

testing

Testing/QA

web

Frontend work

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

jason.woltje

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: mosaic/stack#320