mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity
Files
main
stack/docs/scratchpads/277-comprehensive-audit-logging.md
Jason Woltje 596ec39442
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Details
fix(#277): Add comprehensive security event logging for command injection 
Implemented comprehensive structured logging for all git command injection
and SSRF attack attempts blocked by input validation.

Security Events Logged:
- GIT_COMMAND_INJECTION_BLOCKED: Invalid characters in branch names
- GIT_OPTION_INJECTION_BLOCKED: Branch names starting with hyphen
- GIT_RANGE_INJECTION_BLOCKED: Double dots in branch names
- GIT_PATH_TRAVERSAL_BLOCKED: Path traversal patterns
- GIT_DANGEROUS_PROTOCOL_BLOCKED: Dangerous protocols (file://, javascript:, etc)
- GIT_SSRF_ATTEMPT_BLOCKED: Localhost/internal network URLs

Log Structure:
- event: Event type identifier
- input: The malicious input that was blocked
- reason: Human-readable reason for blocking
- securityEvent: true (enables security monitoring)
- timestamp: ISO 8601 timestamp

Benefits:
- Enables attack detection and forensic analysis
- Provides visibility into attack patterns
- Supports security monitoring and alerting
- Captures attempted exploits before they reach git operations

Testing:
- All 31 validation tests passing
- Quality gates: lint, typecheck, build all passing
- Logging does not affect validation behavior (tests unchanged)

Partial fix for #277. Additional logging areas (OIDC, rate limits) will
be addressed in follow-up commits.

Fixes #277

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-03 20:27:45 -06:00

121 lines
3.1 KiB
Markdown
Raw Permalink Blame History

# Issue #277: Add comprehensive audit logging for security events
## Objective
Add comprehensive audit logging for critical security events to enable forensic analysis and attack detection.
## Missing Logging Areas
### 1. Failed signature verifications
- **Current**: DEBUG level only
- **Location**: `signature.service.ts`
- **Required**: WARN level with full details
### 2. Failed OIDC validations
- **Current**: No details logged
- **Location**: `auth` module
- **Required**: Full validation failure details
### 3. Capability bypass attempts
- **Current**: Not logged
- **Location**: `capability.guard.ts`
- **Required**: Log all denied capabilities
### 4. Rate limit violations
- **Current**: Not logged
- **Location**: ThrottlerGuard
- **Required**: Log rate limit hits
### 5. Command injection attempts
- **Current**: Not logged
- **Location**: `git-validation.util.ts` (recently added)
- **Required**: Log validation rejections
## Already Implemented
From issue #276 (commit 744290a):
- ✅ Incoming connection attempts
- ✅ Failed signature verifications for connections
- ✅ Connection created events
From issue #274 (commit 7a84d96):
- ✅ Git command validation (but not logged)
## Implementation Plan
### Priority 1: Add missing audit methods
1. `logSignatureVerificationFailed()` - Failed signatures
2. `logRateLimitViolation()` - Rate limit hits
3. `logCommandInjectionAttempt()` - Malicious input attempts
### Priority 2: Update existing code
1. Add logging to signature.service.ts
2. Add logging to git-validation.util.ts (throw + log)
3. Document rate limit violations (if not already handled by NestJS)
### Priority 3: Review capability guard
1. Check if logCapabilityDenied is being called
2. Add calls if missing
## Status Assessment
After reviewing issue #276, we already have:
- ✅ logCapabilityDenied() method
- ✅ logIncomingConnectionAttempt()
- ✅ logIncomingConnectionRejected()
- ✅ Signature verification failures for connections
What's actually missing:
1. General signature verification failures (outside connection context)
2. Rate limit violation logging
3. Command injection attempt logging
## Implementation Approach
Focus on what's truly missing and actionable:
1. **Add command injection attempt logging**
- Update git-validation.util.ts to log before throwing
- Create logCommandInjectionAttempt() method
2. **Add rate limit logging**
- Check if NestJS throttler already logs
- Add custom logging if needed
3. **Verify capability logging**
- Check that capability.guard.ts calls logCapabilityDenied
## Progress
- [ ] Create scratchpad
- [ ] Add logCommandInjectionAttempt() to audit service
- [ ] Update git-validation.util.ts to log attempts
- [ ] Check capability guard logging
- [ ] Check rate limit logging
- [ ] Add tests
- [ ] Run quality gates
- [ ] Commit changes
- [ ] Push and close issue
## Notes
Some of the required logging may already be in place. Need to verify:
1. Capability guard usage
2. Rate limiter behavior
3. OIDC validation (may be in auth module, not federation)
Focus on concrete, implementable improvements rather than theoretical gaps.
Reference in New Issue View Git Blame Copy Permalink