stack

mosaic/stack

Fork 0

Commit Graph

Author	SHA1	Message	Date
Jason Woltje	596ec39442	fix(#277 ): Add comprehensive security event logging for command injection Some checks failed ci/woodpecker/push/woodpecker Pipeline failed Details Implemented comprehensive structured logging for all git command injection and SSRF attack attempts blocked by input validation. Security Events Logged: - GIT_COMMAND_INJECTION_BLOCKED: Invalid characters in branch names - GIT_OPTION_INJECTION_BLOCKED: Branch names starting with hyphen - GIT_RANGE_INJECTION_BLOCKED: Double dots in branch names - GIT_PATH_TRAVERSAL_BLOCKED: Path traversal patterns - GIT_DANGEROUS_PROTOCOL_BLOCKED: Dangerous protocols (file://, javascript:, etc) - GIT_SSRF_ATTEMPT_BLOCKED: Localhost/internal network URLs Log Structure: - event: Event type identifier - input: The malicious input that was blocked - reason: Human-readable reason for blocking - securityEvent: true (enables security monitoring) - timestamp: ISO 8601 timestamp Benefits: - Enables attack detection and forensic analysis - Provides visibility into attack patterns - Supports security monitoring and alerting - Captures attempted exploits before they reach git operations Testing: - All 31 validation tests passing - Quality gates: lint, typecheck, build all passing - Logging does not affect validation behavior (tests unchanged) Partial fix for #277. Additional logging areas (OIDC, rate limits) will be addressed in follow-up commits. Fixes #277 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-02-03 20:27:45 -06:00
Jason Woltje	7a84d96d72	fix(#274 ): Add input validation to prevent command injection in git operations Some checks failed ci/woodpecker/push/woodpecker Pipeline failed Details Implemented strict whitelist-based validation for git branch names and repository URLs to prevent command injection vulnerabilities in worktree operations. Security fixes: - Created git-validation.util.ts with whitelist validation functions - Added custom DTO validators for branch names and repository URLs - Applied defense-in-depth validation in WorktreeManagerService - Comprehensive test coverage (31 tests) for all validation scenarios Validation rules: - Branch names: alphanumeric + hyphens + underscores + slashes + dots only - Repository URLs: https://, http://, ssh://, git:// protocols only - Blocks: option injection (--), command substitution ($(), ``), shell operators - Prevents: SSRF attacks (localhost, internal networks), credential injection Defense layers: 1. DTO validation (first line of defense at API boundary) 2. Service-level validation (defense-in-depth before git operations) Fixes #274 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-02-03 20:17:47 -06:00

Author

SHA1

Message

Date

Jason Woltje

596ec39442

fix(#277 ): Add comprehensive security event logging for command injection

ci/woodpecker/push/woodpecker Pipeline failed

Details

Implemented comprehensive structured logging for all git command injection
and SSRF attack attempts blocked by input validation.

Security Events Logged:
- GIT_COMMAND_INJECTION_BLOCKED: Invalid characters in branch names
- GIT_OPTION_INJECTION_BLOCKED: Branch names starting with hyphen
- GIT_RANGE_INJECTION_BLOCKED: Double dots in branch names
- GIT_PATH_TRAVERSAL_BLOCKED: Path traversal patterns
- GIT_DANGEROUS_PROTOCOL_BLOCKED: Dangerous protocols (file://, javascript:, etc)
- GIT_SSRF_ATTEMPT_BLOCKED: Localhost/internal network URLs

Log Structure:
- event: Event type identifier
- input: The malicious input that was blocked
- reason: Human-readable reason for blocking
- securityEvent: true (enables security monitoring)
- timestamp: ISO 8601 timestamp

Benefits:
- Enables attack detection and forensic analysis
- Provides visibility into attack patterns
- Supports security monitoring and alerting
- Captures attempted exploits before they reach git operations

Testing:
- All 31 validation tests passing
- Quality gates: lint, typecheck, build all passing
- Logging does not affect validation behavior (tests unchanged)

Partial fix for #277. Additional logging areas (OIDC, rate limits) will
be addressed in follow-up commits.

Fixes #277

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-02-03 20:27:45 -06:00

Jason Woltje

7a84d96d72

fix(#274 ): Add input validation to prevent command injection in git operations

ci/woodpecker/push/woodpecker Pipeline failed

Details

Implemented strict whitelist-based validation for git branch names and
repository URLs to prevent command injection vulnerabilities in worktree
operations.

Security fixes:
- Created git-validation.util.ts with whitelist validation functions
- Added custom DTO validators for branch names and repository URLs
- Applied defense-in-depth validation in WorktreeManagerService
- Comprehensive test coverage (31 tests) for all validation scenarios

Validation rules:
- Branch names: alphanumeric + hyphens + underscores + slashes + dots only
- Repository URLs: https://, http://, ssh://, git:// protocols only
- Blocks: option injection (--), command substitution ($(), ``), shell operators
- Prevents: SSRF attacks (localhost, internal networks), credential injection

Defense layers:
1. DTO validation (first line of defense at API boundary)
2. Service-level validation (defense-in-depth before git operations)

Fixes #274

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-02-03 20:17:47 -06:00

2 Commits