Skip to content

test(security): OWASP Top 10 security audit + path traversal fix#4

Open
gracefullight wants to merge 1 commit intomainfrom
symphony/FIR-48
Open

test(security): OWASP Top 10 security audit + path traversal fix#4
gracefullight wants to merge 1 commit intomainfrom
symphony/FIR-48

Conversation

@gracefullight
Copy link
Member

@gracefullight gracefullight commented Mar 21, 2026

Summary

  • Add 51 comprehensive security tests covering OWASP Top 10 categories (A01–A09)
  • Fix path traversal vulnerability in WorkspaceManager.deriveKey() — consecutive dots (..) after character substitution could bypass workspace isolation
  • Test agent environment isolation ensuring Symphony secrets (LINEAR_API_KEY, LINEAR_WEBHOOK_SECRET) are never leaked to agent subprocesses

Security Findings

CRITICAL

  • Path traversal in workspace key derivationderiveKey("../../etc/passwd") produced ".._.._.._etc_passwd" which still contained .. (FIXED)

HIGH

  • No rate limiting on webhook endpoint — DoS vector (documented in tests, requires infrastructure-level mitigation)
  • No authentication on /status endpoint — exposes active workspace info to unauthenticated callers

MEDIUM

  • No webhook team scoping — webhook events from other teams are processed (team filtering should be added at orchestrator level)
  • No webhook replay protection — replayed webhooks with valid signatures would be re-processed

LOW

  • No X-Content-Type-Options security header on responses
  • No source IP logging for webhook requests (forensic gap)

Test plan

  • All 151 tests pass (100 existing + 51 new security tests)
  • validate.sh architecture check passes
  • Path traversal fix verified: .. sequences collapsed to single .
  • Agent env isolation verified: Symphony secrets excluded from subprocess env

🤖 Generated with Claude Code

@gracefullight @claude
test(security): OWASP Top 10 security audit with 51 tests + path trav…
40e9d73 
…ersal fix

- Add comprehensive security test suite covering OWASP Top 10 categories:
  A01 (Broken Access Control), A02 (Cryptographic Failures),
  A03 (Injection), A04 (Insecure Design), A05 (Security Misconfiguration),
  A07 (Rate Limiting), A08 (Data Integrity), A09 (Logging)
- Test cross-user access scoping and workspace isolation
- Test agent environment isolation (secret leakage prevention)
- Test template/prompt/command injection sanitization
- Fix path traversal vulnerability in WorkspaceManager.deriveKey():
  collapse consecutive dots to prevent "../" bypass after char substitution

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gracefullight