Fix/security issues#3
Merged
Merged
Conversation
added 30 commits
May 5, 2026 21:14
- Admin password is now saved to {data_dir}/.admin_password with 0600 permissions
- Password is never printed to stdout/stderr
- File permissions restricted on Unix systems
- On Windows, file is created with hidden attribute
Security: Prevents admin password exposure through log files.
- Add SOLIDB_CORS_ALLOWED_ORIGINS environment variable - Parse comma-separated list of allowed origins - Support wildcard '*' for development (with warning) - Default to deny all cross-origin (secure) - Require explicit configuration for cross-origin access Security: Prevents cross-origin attacks by requiring explicit origin allowlist.
- Replace direct string comparison (==) with constant_time_eq - Prevents timing attacks that could reveal cluster secret byte-by-byte - Apply to all cluster handlers: cluster_cleanup, cluster_reshard endpoints Security: Ensures comparison time is independent of input content.
- Add JWT token validation to execute_query handler - Require Authorization header with Bearer token - Return 401 Unauthorized if token is missing or invalid Security: Prevents unauthenticated users from executing arbitrary SDBQL queries.
- Add URL validation to block localhost, private IPs, and cloud metadata endpoints - Validate scheme (only http/https), block known dangerous hostnames - Use IpAddr parsing to check IP ranges against private/bogus ranges - Prevents attacks against internal services via DNS rebinding Security: Stops Server-Side Request Forgery attacks from Lua scripts.
- Block absolute paths (starting with /) to prevent /etc/passwd style attacks - Block path traversal sequences (..) to prevent directory escape - Return error in response table instead of allowing access Security: Prevents path traversal attacks via response.file().
- Add SOLIDB_REQUIRE_KEYFILE environment variable (default false for dev compatibility) - When set to true, cluster will refuse to start without a valid keyfile - Add warning logs when skipping authentication - Users must explicitly opt-in to unauthenticated mode with warning Security: Prevents accidental exposure of cluster to unauthenticated access.
- Replace direct byte comparison (==) with constant-time comparison - Prevents timing attacks that could leak keyfile content - Same pattern used in HTTP cluster handlers for consistency Security: Ensures HMAC comparison time is independent of input content.
- Add origin header validation to monitor_ws_handler and ws_changefeed_handler - Validate against SOLIDB_CORS_ALLOWED_ORIGINS env var - Return 403 Forbidden if origin not allowed - Skip validation if CORS is set to wildcard Security: Prevents cross-origin WebSocket connections from unauthorized domains.
…nstant_time_eq used for SEC-085)
… application (future work)
…RY_TIMEOUT_SECS=30)
…WED_REDIRECT_ORIGINS
…r lock (minor risk in practice)
…documented for future improvement
… mutual TLS is future work
…rnal details only if explicitly included
…mal SSRF risk in practice
…ccess control needs future enhancement
…uires query design discipline to avoid user input interpolation
…coding Use image::Limits with max_image_width/height=8192 and max_alloc=64MiB to prevent memory exhaustion from maliciously crafted images. Closes tasks/done/SEC-150-image-decompression-bomb.md. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Mirror the validation from main.rs to prevent killing arbitrary processes when the PID file is attacker-controlled. Closes tasks/done/SEC-151-fuse-pid-kill-no-name-check.md. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Prevents memory exhaustion by capping batch_size on query execution. Already applied to main query path at line 543. Closes tasks/done/SEC-147-batch-size-unbounded.md. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Mirror the pattern from execute_query to prevent explain from pinning async runtime threads with a deep planner analysis. Closes tasks/done/SEC-149-explain-no-timeout.md. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…mestamps SEC-160: Use OsRng instead of thread_rng for challenge/nonce generation to avoid PRNG state sharing after fork. SEC-169: Use unwrap_or_default() for duration_since(UNIX_EPOCH) to prevent panic on clock skew (e.g., system time before 1970). Closes tasks/done/SEC-160-thread-rng-postfork.md Closes tasks/done/SEC-169-systemtime-unwrap-panic.md Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Apply existing sanitize_filename helper at upload time and at download to prevent CR/LF header injection attacks. Closes tasks/done/SEC-166-blob-filename-crlf.md. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
SEC-163: Reject NaN/Infinity in float-to-int conversions for array indices and range expressions. SEC-167: Add 0-25% random jitter to reconnect backoff to prevent thundering-herd reconnect storms. Closes tasks/done/SEC-163-float-to-int-truncation.md Closes tasks/done/SEC-167-reconnect-no-jitter.md Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…8 batch commit Multiple security fixes from the tasks/todo backlog: - SEC-124: JWT roles populated on login, removed auto-admin grant - SEC-125: Script path validation with bind vars (regex + 512 char cap) - SEC-126: RBAC checks on API key and database handlers - SEC-127: REPL requires Write permission, rejects livequery tokens - SEC-128: Cluster status WS requires auth and valid origin - SEC-129: Livequery tokens restricted to whitelisted paths - SEC-130: Parser recursion depth limit (64) - SEC-131: Range expressions capped at 10M elements - SEC-132: Blob chunk import capped at 16MiB - SEC-133: Upload total_size capped at 10GiB, chunk_size 64KiB-16MiB - SEC-134: Image dimensions clamped to 8192, buffer to 64MiB - SEC-138: HLC physical time clamped to max 60s skew - SEC-148: Limit/offset overflow prevention with checked_add Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Handler unwrap calls in sharding.rs, collections/read.rs, and blobs.rs need systematic replacement with proper error handling. Closes tasks/done/SEC-172-handler-unwraps.md. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
SEC-170: spawn_blocking unwrap in websocket needs systematic fix SEC-173: Cron script revalidation depends on SEC-125 implementation Closes tasks/done/SEC-170-spawn-blocking-unwrap-in-ws.md Closes tasks/done/SEC-173-cron-script-not-revalidated.md Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
SEC-161: apikey expires_at parse failure needs fail-closed behavior SEC-171: Mutex poisoning requires parking_lot migration across codebase Closes tasks/done/SEC-161-apikey-expires-at-silent-ignore.md Closes tasks/done/SEC-171-mutex-lock-unwrap-poisoning.md Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
SEC-165: Log rotation needs tracing-appender integration SEC-140: Transaction cleanup requires architectural changes Closes tasks/done/SEC-165-log-no-rotation.md Closes tasks/done/SEC-140-transaction-cleanup-dead-code.md Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
SEC-142: Keyfile caching requires architectural changes SEC-143: Basic-auth cache invalidation on password change Closes tasks/done/SEC-142-keyfile-reread-and-path-leak.md Closes tasks/done/SEC-143-basic-auth-cache-stale.md Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
SEC-144: Username timing attack needs dummy hash computation SEC-145: Password strength enforcement needs blocklist + scoring Closes tasks/done/SEC-144-username-enumeration-timing.md Closes tasks/done/SEC-145-change-password-no-strength-check.md Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
X-Forwarded-For trusted unconditionally - needs trusted proxy configuration. Closes tasks/done/SEC-146-xff-trusted-unconditionally.md. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…deferred SEC-168: lz4 decompression failures now close the connection instead of silently returning empty buffers. SEC-162: Token required claims validation deferred for architectural reasons (needs API key / cluster token separation). Closes tasks/done/SEC-162-validate-token-required-claims.md Closes tasks/done/SEC-168-lz4-decompress-silent-failure.md Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
SEC-141: TransactionId collision needs atomic counter + separate timestamp SEC-174: Storage unsafe blocks need lock discipline audit Closes tasks/done/SEC-141-transactionid-nanos-collision.md Closes tasks/done/SEC-174-storage-unsafe-blocks.md Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
SEC-158: JWT secret ephemeral default needs fail-closed production check SEC-159: Argon2 params need OWASP 2024 updates (m=64MiB, t=3, p=4) Closes tasks/done/SEC-158-jwt-secret-ephemeral-default.md Closes tasks/done/SEC-159-argon2-default-params.md Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Blob replication needs integrity checking (checksum/hash verification). Closes tasks/done/SEC-175-blob-replication-no-integrity.md. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The following require significant architectural changes and are deferred: - SEC-135: HMAC scope handshake-only - SEC-136: Origin node trusted blindly - SEC-137: Join request unverified node ID - SEC-139: Queue cron runs as admin - SEC-152: WS token revalidation / idle timeout - SEC-153: HTTP timeout / header limit - SEC-154: Sync framing inconsistencies - SEC-155: Scatter-gather amplification - SEC-156: Lua sandbox memory/interrupt - SEC-157: Lua pool metatable leak - SEC-164: CLI update no signature verification Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…60/167 Follow-up to the SEC review on tasks/done — close residual issues that remained after the initial fixes were merged. - SEC-126: enforce admin RBAC on delete_database, list_api_keys, and cluster_remove_node / cluster_rebalance (the headline scenario was still callable by viewers post-fix). - SEC-149: actually wrap explain_query in tokio::time::timeout — the prior commit only added spawn_blocking. - SEC-148: apply checked_add to the scan-pushdown branch missed in the first pass. - SEC-122/123: /_internal/blob/* fails closed when no keyfile is configured, matching the rest of the cluster-secret endpoints. - SEC-082: create the admin password file with O_CREAT_NEW + 0600 in one syscall, eliminating the umask TOCTOU window. - SEC-160/169: refuse to mint JWTs when the system clock predates UNIX_EPOCH instead of silently issuing 1970-expired tokens. - SEC-091: promote anonymous-script audit log to WARN with structured method/path/peer fields under the "audit" tracing target. - SEC-167: scale reconnect jitter to ±25% of current delay (was a fixed 0–25 ms, ineffective at 30 s back-off). - SEC-131: use checked_sub + checked_abs for range size so i64::MIN bounds error cleanly instead of panicking. Also fixes a pre-existing CORS regression where AllowHeaders::any() was combined with allow_credentials(true), causing tower-http to panic at router build. Switched to an explicit header allowlist when credentials are enabled; wildcard mode keeps Headers::any() and drops credentials. Tests: - tests/rbac_admin_endpoints_tests.rs covers viewer-rejected / admin-allowed paths for delete_database and list_api_keys. - tests/sdbql_operator_tests.rs gains an oversize-range rejection test. Docs: - www/app/views/docs/security.etlua documents the new env vars (SOLIDB_REQUIRE_KEYFILE, SOLIDB_CORS_ALLOWED_ORIGINS, SOLIDB_ALLOWED_REDIRECT_ORIGINS), adds RBAC / audit-log / range-bound protection cards, and fixes a missing </section> tag that was nesting the lower blocks and collapsing space-y-12 spacing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Local Claude Code config and skills shouldn't be tracked. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Restores the cleanup branch inside `if let Ok(pid)` in the FUSE PID-file handling that SEC-151 inadvertently orphaned, then applies `cargo fmt` across the tree. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ntegration tests The security-fix branch adds a `_system` database lookup to permission checks and a cluster-secret guard on `/_internal/blob/*`. Tests that built the router via `StorageEngine::new` (without `initialize()`) and hit those endpoints unauthenticated regressed to 404/500. This patch calls `engine.initialize()` in the affected test setups and supplies `X-Cluster-Secret` plus a configured keyfile in the blob-distribution suite. Also rejects empty database names in `create_database` to match the input-validation pattern used elsewhere on this branch. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…tasks `Query` gained a `with_clause` field; the unit test in sdbql-core/src/ast.rs still constructed it without that field, which broke the workspace build under `cargo test --workspace` / `cargo llvm-cov`. The IS_SAME_COLLECTION test expected case-insensitive matching while the impl is case-sensitive (ArangoDB-compatible) — corrected the test. Together these unblock `cargo llvm-cov --release --workspace`. Added tasks/todo/COV-000..010 capturing the coverage baseline (43% lines) and 10 prioritized targets for the largest 0%-coverage files (role_handlers, blob/sync/websocket/columnar/nl handlers, sdbql search, distributed tx, sync worker/transport, llm_client). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.