#!/bin/bash # Security Fixes Verification Script # This script verifies that both critical security vulnerabilities have been fixed echo "╔══════════════════════════════════════════════════════════════════════╗" echo "║ 🔒 SECURITY VULNERABILITY FIXES VERIFICATION ║" echo "╚══════════════════════════════════════════════════════════════════════╝" echo "" # Colors GREEN='\033[0;32m' RED='\033[0;31m' YELLOW='\033[1;33m' NC='\033[0m' # No Color # Counter for passed/failed checks PASSED=0 FAILED=0 # Function to check test result check_result() { if [ $1 -eq 0 ]; then echo -e "${GREEN}✅ PASS${NC}: $2" ((PASSED++)) else echo -e "${RED}❌ FAIL${NC}: $2" ((FAILED++)) fi } echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" echo "📝 VERIFICATION 1: Command Injection Fix" echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" echo "" # Check 1: validateRepoPath function exists echo "Checking for validateRepoPath function..." if grep -q "func validateRepoPath" internal/handlers/cv.go; then check_result 0 "validateRepoPath function exists" else check_result 1 "validateRepoPath function not found" fi # Check 2: findProjectRoot function exists echo "Checking for findProjectRoot function..." if grep -q "func findProjectRoot" internal/handlers/cv.go; then check_result 0 "findProjectRoot function exists" else check_result 1 "findProjectRoot function not found" fi # Check 3: Timeout protection with context echo "Checking for timeout protection..." if grep -q "context.WithTimeout" internal/handlers/cv.go; then check_result 0 "Timeout protection implemented" else check_result 1 "Timeout protection not found" fi # Check 4: CommandContext usage echo "Checking for secure command execution..." if grep -q "exec.CommandContext" internal/handlers/cv.go; then check_result 0 "CommandContext with timeout used" else check_result 1 "CommandContext not found" fi # Check 5: Security logging echo "Checking for security logging..." if grep -q "Security: Rejected git operation" internal/handlers/cv.go; then check_result 0 "Security logging implemented" else check_result 1 "Security logging not found" fi echo "" echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" echo "📝 VERIFICATION 2: XSS Vulnerability Fix" echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" echo "" # Check 6: safeHTML function removed echo "Checking that safeHTML function is removed..." if grep -q "\"safeHTML\": func(s string) template.HTML" internal/templates/template.go; then check_result 1 "safeHTML function still exists (VULNERABLE)" else check_result 0 "safeHTML function removed" fi # Check 7: Security comment exists echo "Checking for security comment..." if grep -q "Security: safeHTML function removed to prevent XSS" internal/templates/template.go; then check_result 0 "Security comment present" else check_result 1 "Security comment not found" fi # Check 8: No safeHTML usage in templates echo "Checking for safeHTML usage in templates..." SAFHTML_COUNT=$(grep -r "| safeHTML" templates/ 2>/dev/null | wc -l) if [ "$SAFHTML_COUNT" -eq 0 ]; then check_result 0 "No safeHTML usage in templates" else check_result 1 "Found $SAFHTML_COUNT instances of safeHTML in templates" fi echo "" echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" echo "📝 VERIFICATION 3: Security Tests" echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" echo "" # Check 9: Security test file exists echo "Checking for security test file..." if [ -f "internal/handlers/cv_security_test.go" ]; then check_result 0 "Security test file exists" else check_result 1 "Security test file not found" fi # Check 10: Run security tests echo "Running security tests..." if go test -v ./internal/handlers -run "Security" > /tmp/security_test_output.txt 2>&1; then check_result 0 "Security tests passed" echo -e "${YELLOW}Test output:${NC}" grep "PASS" /tmp/security_test_output.txt | head -n 5 else check_result 1 "Security tests failed" echo -e "${RED}Test output:${NC}" cat /tmp/security_test_output.txt fi echo "" echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" echo "📝 VERIFICATION 4: Application Build" echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" echo "" # Check 11: Application builds successfully echo "Building application..." if go build -o cv-server . > /tmp/build_output.txt 2>&1; then check_result 0 "Application builds successfully" rm -f cv-server else check_result 1 "Application build failed" cat /tmp/build_output.txt fi echo "" echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" echo "📊 FINAL RESULTS" echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" echo "" TOTAL=$((PASSED + FAILED)) echo "Total Checks: $TOTAL" echo -e "${GREEN}Passed: $PASSED${NC}" if [ $FAILED -gt 0 ]; then echo -e "${RED}Failed: $FAILED${NC}" else echo "Failed: $FAILED" fi PERCENTAGE=$((PASSED * 100 / TOTAL)) echo "Success Rate: $PERCENTAGE%" echo "" if [ $FAILED -eq 0 ]; then echo -e "${GREEN}╔══════════════════════════════════════════════════════════════════════╗${NC}" echo -e "${GREEN}║ ✅ ALL SECURITY FIXES VERIFIED - READY FOR DEPLOYMENT ║${NC}" echo -e "${GREEN}╚══════════════════════════════════════════════════════════════════════╝${NC}" exit 0 else echo -e "${RED}╔══════════════════════════════════════════════════════════════════════╗${NC}" echo -e "${RED}║ ❌ SECURITY VERIFICATION FAILED - REVIEW REQUIRED ║${NC}" echo -e "${RED}╚══════════════════════════════════════════════════════════════════════╝${NC}" exit 1 fi