juanatsap
92dffe8c60
- Enhanced CI/CD pipeline with coverage reporting, benchmarks, and artifact uploads - Implemented rate limiter IP validation with proxy support and spoofing protection - Added extensive Makefile test targets for coverage, benchmarks, and continuous testing - Expanded middleware chain with request validation, size limits, and suspicious activity logging
180 lines
8.0 KiB
Bash
Executable File
180 lines
8.0 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# Security Fixes Verification Script
|
|
# This script verifies that both critical security vulnerabilities have been fixed
|
|
|
|
echo "╔══════════════════════════════════════════════════════════════════════╗"
|
|
echo "║ 🔒 SECURITY VULNERABILITY FIXES VERIFICATION ║"
|
|
echo "╚══════════════════════════════════════════════════════════════════════╝"
|
|
echo ""
|
|
|
|
# Colors
|
|
GREEN='\033[0;32m'
|
|
RED='\033[0;31m'
|
|
YELLOW='\033[1;33m'
|
|
NC='\033[0m' # No Color
|
|
|
|
# Counter for passed/failed checks
|
|
PASSED=0
|
|
FAILED=0
|
|
|
|
# Function to check test result
|
|
check_result() {
|
|
if [ $1 -eq 0 ]; then
|
|
echo -e "${GREEN}✅ PASS${NC}: $2"
|
|
((PASSED++))
|
|
else
|
|
echo -e "${RED}❌ FAIL${NC}: $2"
|
|
((FAILED++))
|
|
fi
|
|
}
|
|
|
|
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
|
echo "📝 VERIFICATION 1: Command Injection Fix"
|
|
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
|
echo ""
|
|
|
|
# Check 1: validateRepoPath function exists
|
|
echo "Checking for validateRepoPath function..."
|
|
if grep -q "func validateRepoPath" internal/handlers/cv.go; then
|
|
check_result 0 "validateRepoPath function exists"
|
|
else
|
|
check_result 1 "validateRepoPath function not found"
|
|
fi
|
|
|
|
# Check 2: findProjectRoot function exists
|
|
echo "Checking for findProjectRoot function..."
|
|
if grep -q "func findProjectRoot" internal/handlers/cv.go; then
|
|
check_result 0 "findProjectRoot function exists"
|
|
else
|
|
check_result 1 "findProjectRoot function not found"
|
|
fi
|
|
|
|
# Check 3: Timeout protection with context
|
|
echo "Checking for timeout protection..."
|
|
if grep -q "context.WithTimeout" internal/handlers/cv.go; then
|
|
check_result 0 "Timeout protection implemented"
|
|
else
|
|
check_result 1 "Timeout protection not found"
|
|
fi
|
|
|
|
# Check 4: CommandContext usage
|
|
echo "Checking for secure command execution..."
|
|
if grep -q "exec.CommandContext" internal/handlers/cv.go; then
|
|
check_result 0 "CommandContext with timeout used"
|
|
else
|
|
check_result 1 "CommandContext not found"
|
|
fi
|
|
|
|
# Check 5: Security logging
|
|
echo "Checking for security logging..."
|
|
if grep -q "Security: Rejected git operation" internal/handlers/cv.go; then
|
|
check_result 0 "Security logging implemented"
|
|
else
|
|
check_result 1 "Security logging not found"
|
|
fi
|
|
|
|
echo ""
|
|
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
|
echo "📝 VERIFICATION 2: XSS Vulnerability Fix"
|
|
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
|
echo ""
|
|
|
|
# Check 6: safeHTML function removed
|
|
echo "Checking that safeHTML function is removed..."
|
|
if grep -q "\"safeHTML\": func(s string) template.HTML" internal/templates/template.go; then
|
|
check_result 1 "safeHTML function still exists (VULNERABLE)"
|
|
else
|
|
check_result 0 "safeHTML function removed"
|
|
fi
|
|
|
|
# Check 7: Security comment exists
|
|
echo "Checking for security comment..."
|
|
if grep -q "Security: safeHTML function removed to prevent XSS" internal/templates/template.go; then
|
|
check_result 0 "Security comment present"
|
|
else
|
|
check_result 1 "Security comment not found"
|
|
fi
|
|
|
|
# Check 8: No safeHTML usage in templates
|
|
echo "Checking for safeHTML usage in templates..."
|
|
SAFHTML_COUNT=$(grep -r "| safeHTML" templates/ 2>/dev/null | wc -l)
|
|
if [ "$SAFHTML_COUNT" -eq 0 ]; then
|
|
check_result 0 "No safeHTML usage in templates"
|
|
else
|
|
check_result 1 "Found $SAFHTML_COUNT instances of safeHTML in templates"
|
|
fi
|
|
|
|
echo ""
|
|
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
|
echo "📝 VERIFICATION 3: Security Tests"
|
|
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
|
echo ""
|
|
|
|
# Check 9: Security test file exists
|
|
echo "Checking for security test file..."
|
|
if [ -f "internal/handlers/cv_security_test.go" ]; then
|
|
check_result 0 "Security test file exists"
|
|
else
|
|
check_result 1 "Security test file not found"
|
|
fi
|
|
|
|
# Check 10: Run security tests
|
|
echo "Running security tests..."
|
|
if go test -v ./internal/handlers -run "Security" > /tmp/security_test_output.txt 2>&1; then
|
|
check_result 0 "Security tests passed"
|
|
echo -e "${YELLOW}Test output:${NC}"
|
|
grep "PASS" /tmp/security_test_output.txt | head -n 5
|
|
else
|
|
check_result 1 "Security tests failed"
|
|
echo -e "${RED}Test output:${NC}"
|
|
cat /tmp/security_test_output.txt
|
|
fi
|
|
|
|
echo ""
|
|
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
|
echo "📝 VERIFICATION 4: Application Build"
|
|
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
|
echo ""
|
|
|
|
# Check 11: Application builds successfully
|
|
echo "Building application..."
|
|
if go build -o cv-server . > /tmp/build_output.txt 2>&1; then
|
|
check_result 0 "Application builds successfully"
|
|
rm -f cv-server
|
|
else
|
|
check_result 1 "Application build failed"
|
|
cat /tmp/build_output.txt
|
|
fi
|
|
|
|
echo ""
|
|
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
|
echo "📊 FINAL RESULTS"
|
|
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
|
echo ""
|
|
|
|
TOTAL=$((PASSED + FAILED))
|
|
echo "Total Checks: $TOTAL"
|
|
echo -e "${GREEN}Passed: $PASSED${NC}"
|
|
if [ $FAILED -gt 0 ]; then
|
|
echo -e "${RED}Failed: $FAILED${NC}"
|
|
else
|
|
echo "Failed: $FAILED"
|
|
fi
|
|
|
|
PERCENTAGE=$((PASSED * 100 / TOTAL))
|
|
echo "Success Rate: $PERCENTAGE%"
|
|
echo ""
|
|
|
|
if [ $FAILED -eq 0 ]; then
|
|
echo -e "${GREEN}╔══════════════════════════════════════════════════════════════════════╗${NC}"
|
|
echo -e "${GREEN}║ ✅ ALL SECURITY FIXES VERIFIED - READY FOR DEPLOYMENT ║${NC}"
|
|
echo -e "${GREEN}╚══════════════════════════════════════════════════════════════════════╝${NC}"
|
|
exit 0
|
|
else
|
|
echo -e "${RED}╔══════════════════════════════════════════════════════════════════════╗${NC}"
|
|
echo -e "${RED}║ ❌ SECURITY VERIFICATION FAILED - REVIEW REQUIRED ║${NC}"
|
|
echo -e "${RED}╚══════════════════════════════════════════════════════════════════════╝${NC}"
|
|
exit 1
|
|
fi
|