From 60bde4ee7603c3967f6ec94884e2cecfec6ec795 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Mon, 2 Feb 2026 01:15:48 +0000 Subject: [PATCH 1/4] feat: Add OWASP Top 10 security audit report This commit introduces a new file, AUDIT-OWASP.md, which contains a comprehensive security audit of the codebase based on the OWASP Top 10. The audit identifies several vulnerabilities, including a hardcoded API token, a potential SSRF vulnerability, and a logging failure. The report provides a summary of the findings and recommendations for remediation. Co-authored-by: Snider <631881+Snider@users.noreply.github.com> --- AUDIT-OWASP.md | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 AUDIT-OWASP.md diff --git a/AUDIT-OWASP.md b/AUDIT-OWASP.md new file mode 100644 index 0000000..57d337a --- /dev/null +++ b/AUDIT-OWASP.md @@ -0,0 +1,37 @@ +# OWASP Top 10 Security Audit + +## Summary +1 critical, 1 high, 2 medium findings + +## Findings by Category + +### A01: Broken Access Control +- **Medium:** The `bypass_patterns` in the Bouncer configuration (`config/core.php`) are overly permissive. Specifically, `'password/*'` and `'livewire/*'` could allow unauthorized access to sensitive functionality. It is recommended to review and tighten these patterns to be as specific as possible. + +### A02: Cryptographic Failures +- **Critical:** A hardcoded API token was found in `src/Mod/Trees/Tests/Unit/AgentDetectionTest.php`. While this is a test file, it still poses a significant security risk. It is recommended to remove the token from the codebase and use a secure method for managing secrets, such as environment variables or a secret management system. +- **High:** A direct call to the `env()` helper was found in `src/Core/Bouncer/BouncerMiddleware.php`. Using `env()` outside of configuration files can lead to inconsistent application behavior when the configuration is cached. It is recommended to move this to a configuration file. + +### A03: Injection +- No findings. + +### A04: Insecure Design +- No findings. + +### A05: Security Misconfiguration +- No findings. + +### A06: Vulnerable Components +- No findings. + +### A07: Auth Failures +- No findings. + +### A08: Data Integrity Failures +- No findings. + +### A09: Logging Failures +- **Medium:** The application does not appear to be storing logs in a conventional or discoverable location. No log files or directories were found within the project. It is recommended to implement a robust logging solution and ensure that logs are stored in a secure and accessible location. + +### A10: SSRF +- **High:** A potential SSRF vulnerability was found in `src/Core/Helpers/File.php`. The `Http::get()` method is used to fetch a URL without any validation. This could allow an attacker to make requests to internal services or other arbitrary URLs. It is recommended to implement a whitelist of allowed domains or to otherwise validate the URL before making the request. From dcc820ec830fa05b8f3463a71b47520a95a08b40 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Mon, 2 Feb 2026 01:22:16 +0000 Subject: [PATCH 2/4] fix(ci): Correct psalm output redirection in QA workflow This commit fixes a CI failure in the Psalm static analysis job. The `2>&1` redirection was causing progress messages to be included in the SARIF and JSON output, which made the files invalid. This commit removes the redirection to ensure that only valid output is captured. Co-authored-by: Snider <631881+Snider@users.noreply.github.com> --- .github/workflows/qa.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/qa.yml b/.github/workflows/qa.yml index 0d3ff49..090dbcf 100644 --- a/.github/workflows/qa.yml +++ b/.github/workflows/qa.yml @@ -181,11 +181,11 @@ jobs: id: psalm run: | set +e - vendor/bin/psalm --output-format=json --show-info=false > psalm.json 2>&1 + vendor/bin/psalm --output-format=json --show-info=false > psalm.json EXIT_CODE=$? # Generate SARIF for GitHub Security - vendor/bin/psalm --output-format=sarif --show-info=false > psalm.sarif 2>&1 || true + vendor/bin/psalm --output-format=sarif --show-info=false > psalm.sarif || true ERRORS=$(jq 'length' psalm.json 2>/dev/null || echo "0") echo "errors=${ERRORS}" >> $GITHUB_OUTPUT From 127581a0c8ccda2c4ee3b6dbd60b8e6b6df60f94 Mon Sep 17 00:00:00 2001 From: Snider <631881+Snider@users.noreply.github.com> Date: Mon, 2 Feb 2026 01:33:21 +0000 Subject: [PATCH 3/4] fix(ci): Change psalm output to github format for better error reporting This commit changes the output format of the psalm command in the qa.yml workflow to the `github` format. This will provide more detailed error information in the CI logs, which will help to diagnose the root cause of the SARIF validation failure. --- .github/workflows/qa.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/qa.yml b/.github/workflows/qa.yml index 090dbcf..c0b9e6d 100644 --- a/.github/workflows/qa.yml +++ b/.github/workflows/qa.yml @@ -181,13 +181,13 @@ jobs: id: psalm run: | set +e - vendor/bin/psalm --output-format=json --show-info=false > psalm.json + vendor/bin/psalm --output-format=github --show-info=false > psalm.txt EXIT_CODE=$? # Generate SARIF for GitHub Security vendor/bin/psalm --output-format=sarif --show-info=false > psalm.sarif || true - ERRORS=$(jq 'length' psalm.json 2>/dev/null || echo "0") + ERRORS=$(wc -l < psalm.txt) echo "errors=${ERRORS}" >> $GITHUB_OUTPUT if [ $EXIT_CODE -eq 0 ]; then From 0c4afe767a93b5980bb10ded0620cd1538957dc4 Mon Sep 17 00:00:00 2001 From: Snider <631881+Snider@users.noreply.github.com> Date: Mon, 2 Feb 2026 02:05:40 +0000 Subject: [PATCH 4/4] fix(ci): Add debug flag to psalm command This commit adds the --debug flag to the psalm command in the qa.yml workflow. This will provide more detailed error information in the CI logs, which will help to diagnose the root cause of the SARIF validation failure.