madapes/madbase
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cffdf8af8684ea9f759905a47634f2d8364e726c
madbase/M0_TODO.md
Vlad Durnea cffdf8af86
Some checks failed
CI/CD Pipeline / unit-tests (push) Failing after 1m16s
Details
CI/CD Pipeline / integration-tests (push) Failing after 2m32s
Details
CI/CD Pipeline / lint (push) Successful in 5m22s
Details
CI/CD Pipeline / e2e-tests (push) Has been skipped
Details
CI/CD Pipeline / build (push) Has been skipped
Details
wip:milestone 0 fixes
2026-03-15 12:35:42 +02:00

46 lines
2.2 KiB
Markdown
Raw Blame History

M0 Security Hardening - Working Tasks
SECTION 0.1 - Secrets & Credential Hygiene ✓ COMPLETE
✓ 0.1.1 Remove secret logging from auth/src/middleware.rs (line 46, 49)
✓ 0.1.2 Remove secret logging from gateway/src/middleware.rs (line 139)
✓ 0.1.3 Remove token logging from auth/src/handlers.rs (lines 81-84, 297-300)
✓ 0.1.4 Make JWT_SECRET required with 32-char minimum (common/src/config.rs)
✓ 0.1.5 Make ADMIN_PASSWORD required (control_plane/src/lib.rs)
✓ 0.1.6 Remove hardcoded S3 credentials (storage/src/backend.rs)
✓ 0.1.7 Remove Serialize derive from Config (common/src/config.rs)
SECTION 0.2 - Authentication & Authorization ✓ COMPLETE
✓ 0.2.1 Fix admin auth middleware - proper session validation (gateway/src/admin_auth.rs)
✓ 0.2.2 Admin password required with sessions (control_plane/src/lib.rs)
□ 0.2.3 Add API key auth to control-plane-api (control-plane-api/src/lib.rs)
□ 0.2.4 Verify function deploy/invoke auth enforcement
SECTION 0.3 - Injection & Input Sanitization (IN PROGRESS)
⏳ 0.3.1 Fix SQL injection in SET LOCAL role (data_api/src/handlers.rs)
⏳ 0.3.2 Fix SQL injection in SET LOCAL role (storage/src/handlers.rs)
⏳ 0.3.3 Fix SQL injection in table browser (control_plane/src/lib.rs)
⏳ 0.3.4 Fix JavaScript injection in Deno runtime (functions/src/deno_runtime.rs)
⏳ 0.3.5 Fix path traversal in TUS uploads (storage/src/tus.rs)
SECTION 0.4 - Token & Session Security
□ 0.4.1 Gate token issuance on email confirmation (auth/src/handlers.rs signup)
□ 0.4.2 Check confirmation on login (auth/src/handlers.rs login)
□ 0.4.3 Validate OAuth CSRF state (auth/src/oauth.rs)
□ 0.4.4 Fix OAuth account takeover (auth/src/oauth.rs)
SECTION 0.5 - CORS & Transport Security
□ 0.5.1 Restrict CORS origins in gateway/src/control.rs
□ 0.5.2 Restrict CORS origins in gateway/src/worker.rs
□ 0.5.3 Stop exposing secrets in API responses (control_plane/src/lib.rs)
FINAL TESTING
□ Verify no secret logging with rg
□ Test JWT_SECRET requirement
□ Test ADMIN_PASSWORD requirement
□ Test S3_ACCESS_KEY requirement
□ Test admin auth rejection
□ Test SQL injection blocking
□ Test OAuth CSRF validation
□ Test signup confirmation gating
□ Test unconfirmed login rejection
Reference in New Issue View Git Blame Copy Permalink