feat(#284): Reduce timestamp validation window to 60s with replay attack prevention
Security improvements: - Reduce timestamp tolerance from 5 minutes to 60 seconds - Add nonce-based replay attack prevention using Redis - Store signature nonce with 60s TTL matching tolerance window - Reject replayed messages with same signature Changes: - Update SignatureService.TIMESTAMP_TOLERANCE_MS to 60s - Add Redis client injection to SignatureService - Make verifyConnectionRequest async for nonce checking - Create RedisProvider for shared Redis client - Update ConnectionService to await signature verification - Add comprehensive test coverage for replay prevention Part of M7.1 Remediation Sprint P1 security fixes. Fixes #284 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
73
docs/scratchpads/p1-security-fixes.md
Normal file
73
docs/scratchpads/p1-security-fixes.md
Normal file
@@ -0,0 +1,73 @@
|
||||
# M7.1 P1 Security Fixes (#283-#290)
|
||||
|
||||
## Objective
|
||||
|
||||
Complete remaining P1 security issues in M7.1 Remediation Sprint
|
||||
|
||||
## Issues to Fix
|
||||
|
||||
### #283 - Enforce connection status validation in queries
|
||||
|
||||
- **Impact**: Authorization gap - operations proceed on non-ACTIVE connections
|
||||
- **Fix**: Add status check to Prisma queries
|
||||
- **Files**: command.service.ts, query.service.ts
|
||||
|
||||
### #284 - Reduce timestamp validation window
|
||||
|
||||
- **Impact**: 5-minute replay attack window
|
||||
- **Fix**: Reduce to 60s + add nonce tracking with Redis
|
||||
- **Files**: signature.service.ts
|
||||
|
||||
### #285 - Add input sanitization
|
||||
|
||||
- **Impact**: XSS risk on user-controlled fields
|
||||
- **Fix**: Sanitize connection metadata, identity metadata, rejection reasons, command payloads
|
||||
- **Files**: Multiple DTOs and services
|
||||
|
||||
### #286 - Add workspace access validation guard
|
||||
|
||||
- **Impact**: Authorization gap - no workspace membership validation
|
||||
- **Fix**: Create WorkspaceAccessGuard
|
||||
- **Files**: New guard + controllers
|
||||
|
||||
### #287 - Prevent sensitive data in logs
|
||||
|
||||
- **Impact**: Data leakage, PII exposure, GDPR violations
|
||||
- **Fix**: Use appropriate log levels + redact sensitive data
|
||||
- **Files**: All federation services
|
||||
|
||||
### #288 - Upgrade RSA key size
|
||||
|
||||
- **Impact**: Future-proofing against quantum computing
|
||||
- **Fix**: Change from 2048 to 4096 bits
|
||||
- **Files**: federation.service.ts
|
||||
|
||||
### #289 - Prevent private key decryption error leaks
|
||||
|
||||
- **Impact**: Sensitive data in error messages
|
||||
- **Fix**: Don't log error details with potential sensitive data
|
||||
- **Files**: crypto.service.ts
|
||||
|
||||
### #290 - Secure identity verification endpoint
|
||||
|
||||
- **Impact**: Public endpoint with no auth
|
||||
- **Fix**: Add AuthGuard + rate limiting
|
||||
- **Files**: identity-linking.controller.ts
|
||||
|
||||
## Progress
|
||||
|
||||
- [ ] #283 - Connection status validation
|
||||
- [ ] #284 - Timestamp validation window
|
||||
- [ ] #285 - Input sanitization
|
||||
- [ ] #286 - Workspace access guard
|
||||
- [ ] #287 - Sensitive data in logs
|
||||
- [ ] #288 - RSA key size upgrade
|
||||
- [ ] #289 - Decryption error leaks
|
||||
- [ ] #290 - Identity endpoint security
|
||||
|
||||
## Testing Strategy
|
||||
|
||||
- Minimum 85% coverage for all changes
|
||||
- TDD approach: write tests first
|
||||
- Security-focused test cases
|
||||
- Integration tests for guards and validation
|
||||
Reference in New Issue
Block a user