Jason Woltje
a9254c1bd8
ci/woodpecker/pr/woodpecker Pipeline failed
ci/woodpecker/push/woodpecker Pipeline failed
fix(#277): Add comprehensive security event logging for command injection
Implemented comprehensive structured logging for all git command injection
and SSRF attack attempts blocked by input validation.
Security Events Logged:
- GIT_COMMAND_INJECTION_BLOCKED: Invalid characters in branch names
- GIT_OPTION_INJECTION_BLOCKED: Branch names starting with hyphen
- GIT_RANGE_INJECTION_BLOCKED: Double dots in branch names
- GIT_PATH_TRAVERSAL_BLOCKED: Path traversal patterns
- GIT_DANGEROUS_PROTOCOL_BLOCKED: Dangerous protocols (file://, javascript:, etc)
- GIT_SSRF_ATTEMPT_BLOCKED: Localhost/internal network URLs
Log Structure:
- event: Event type identifier
- input: The malicious input that was blocked
- reason: Human-readable reason for blocking
- securityEvent: true (enables security monitoring)
- timestamp: ISO 8601 timestamp
Benefits:
- Enables attack detection and forensic analysis
- Provides visibility into attack patterns
- Supports security monitoring and alerting
- Captures attempted exploits before they reach git operations
Testing:
- All 31 validation tests passing
- Quality gates: lint, typecheck, build all passing
- Logging does not affect validation behavior (tests unchanged)
Partial fix for #277. Additional logging areas (OIDC, rate limits) will
be addressed in follow-up commits.
Fixes #277
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-03 20:27:28 -06:00
..
2026-02-03 20:17:47 -06:00
2026-02-03 12:44:04 -06:00
2026-02-03 12:44:04 -06:00
2026-02-03 20:27:28 -06:00
2026-02-03 12:44:04 -06:00
2026-02-02 13:16:19 -06:00
2026-02-03 12:44:04 -06:00
2026-02-03 12:44:04 -06:00
2026-02-03 12:44:04 -06:00
2026-02-03 12:44:04 -06:00
2026-02-02 13:16:19 -06:00