Jason Woltje
3bba2f1c33
Security improvements: - Reduce timestamp tolerance from 5 minutes to 60 seconds - Add nonce-based replay attack prevention using Redis - Store signature nonce with 60s TTL matching tolerance window - Reject replayed messages with same signature Changes: - Update SignatureService.TIMESTAMP_TOLERANCE_MS to 60s - Add Redis client injection to SignatureService - Make verifyConnectionRequest async for nonce checking - Create RedisProvider for shared Redis client - Update ConnectionService to await signature verification - Add comprehensive test coverage for replay prevention Part of M7.1 Remediation Sprint P1 security fixes. Fixes #284 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2.1 KiB
2.1 KiB
M7.1 P1 Security Fixes (#283-#290)
Objective
Complete remaining P1 security issues in M7.1 Remediation Sprint
Issues to Fix
#283 - Enforce connection status validation in queries
- Impact: Authorization gap - operations proceed on non-ACTIVE connections
- Fix: Add status check to Prisma queries
- Files: command.service.ts, query.service.ts
#284 - Reduce timestamp validation window
- Impact: 5-minute replay attack window
- Fix: Reduce to 60s + add nonce tracking with Redis
- Files: signature.service.ts
#285 - Add input sanitization
- Impact: XSS risk on user-controlled fields
- Fix: Sanitize connection metadata, identity metadata, rejection reasons, command payloads
- Files: Multiple DTOs and services
#286 - Add workspace access validation guard
- Impact: Authorization gap - no workspace membership validation
- Fix: Create WorkspaceAccessGuard
- Files: New guard + controllers
#287 - Prevent sensitive data in logs
- Impact: Data leakage, PII exposure, GDPR violations
- Fix: Use appropriate log levels + redact sensitive data
- Files: All federation services
#288 - Upgrade RSA key size
- Impact: Future-proofing against quantum computing
- Fix: Change from 2048 to 4096 bits
- Files: federation.service.ts
#289 - Prevent private key decryption error leaks
- Impact: Sensitive data in error messages
- Fix: Don't log error details with potential sensitive data
- Files: crypto.service.ts
#290 - Secure identity verification endpoint
- Impact: Public endpoint with no auth
- Fix: Add AuthGuard + rate limiting
- Files: identity-linking.controller.ts
Progress
- #283 - Connection status validation
- #284 - Timestamp validation window
- #285 - Input sanitization
- #286 - Workspace access guard
- #287 - Sensitive data in logs
- #288 - RSA key size upgrade
- #289 - Decryption error leaks
- #290 - Identity endpoint security
Testing Strategy
- Minimum 85% coverage for all changes
- TDD approach: write tests first
- Security-focused test cases
- Integration tests for guards and validation