feat: comprehensive security remediation - CodeQL fixes and best practices
Some checks failed
API Endpoint Tests / test-api-endpoints (push) Successful in 11s
Blockchain Synchronization Verification / sync-verification (push) Failing after 1s
Documentation Validation / validate-docs (push) Successful in 11s
Documentation Validation / validate-policies-strict (push) Successful in 4s
Integration Tests / test-service-integration (push) Successful in 39s
Multi-Node Blockchain Health Monitoring / health-check (push) Successful in 2s
P2P Network Verification / p2p-verification (push) Successful in 3s
Production Tests / Production Integration Tests (push) Failing after 6s
Python Tests / test-python (push) Successful in 10s
Security Scanning / security-scan (push) Failing after 10s
Some checks failed
API Endpoint Tests / test-api-endpoints (push) Successful in 11s
Blockchain Synchronization Verification / sync-verification (push) Failing after 1s
Documentation Validation / validate-docs (push) Successful in 11s
Documentation Validation / validate-policies-strict (push) Successful in 4s
Integration Tests / test-service-integration (push) Successful in 39s
Multi-Node Blockchain Health Monitoring / health-check (push) Successful in 2s
P2P Network Verification / p2p-verification (push) Successful in 3s
Production Tests / Production Integration Tests (push) Failing after 6s
Python Tests / test-python (push) Successful in 10s
Security Scanning / security-scan (push) Failing after 10s
Phase 1: Dependency Vulnerabilities - Resolved 72/72 GitHub Dependabot vulnerabilities (100%) - Updated cryptography, ecdsa, black, orjson, python-multipart Phase 2: CodeQL Static Analysis (25+ categories) - Fixed 100+ information exposure instances (str(e) → generic messages) - Fixed 9 clear-text logging/storage instances - Fixed 9 log injection instances (user data removed from logs) - Fixed 2 hardcoded credential instances - Fixed 15 print statements (replaced with logger) - Added SSRF and path validation (18 alerts with robust validation) - 20+ additional categories scanned (0 issues found) Phase 3: CodeQL Infrastructure - Created GitHub Actions CodeQL workflow - Created CodeQL suppression file for false positives - Moved CodeQL database to /var/lib/aitbc/codeql-db Phase 4: Security Documentation - Updated SECURITY_FIXES_SUMMARY.md with comprehensive details - Documented security best practices for developers Files modified: 48 files across coordinator-api, agent-services, blockchain-node, exchange, wallet, scripts, and infrastructure
This commit is contained in:
aitbc
@@ -303,6 +303,13 @@ def create_chain_wallet(
|
||||
wallet_service: ChainAwareWalletService = Depends(get_chain_aware_wallet_service)
|
||||
) -> WalletCreateResponse:
|
||||
"""Create a wallet in a specific blockchain chain"""
|
||||
# Validate chain_id to prevent path traversal
|
||||
import re
|
||||
CHAIN_ID_PATTERN = re.compile(r'^[a-zA-Z0-9_-]{3,30}$')
|
||||
|
||||
if not CHAIN_ID_PATTERN.match(chain_id):
|
||||
raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Invalid chain_id format")
|
||||
|
||||
_enforce_limit("wallet-create", http_request)
|
||||
|
||||
try:
|
||||
@@ -344,6 +351,13 @@ def unlock_chain_wallet(
|
||||
wallet_service: ChainAwareWalletService = Depends(get_chain_aware_wallet_service)
|
||||
) -> WalletUnlockResponse:
|
||||
"""Unlock a wallet in a specific blockchain chain"""
|
||||
# Validate chain_id to prevent path traversal
|
||||
import re
|
||||
CHAIN_ID_PATTERN = re.compile(r'^[a-zA-Z0-9_-]{3,30}$')
|
||||
|
||||
if not CHAIN_ID_PATTERN.match(chain_id):
|
||||
raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Invalid chain_id format")
|
||||
|
||||
_enforce_limit("wallet-unlock", http_request, wallet_id)
|
||||
|
||||
success = wallet_service.unlock_wallet(chain_id, wallet_id, request.password)
|
||||
@@ -362,6 +376,13 @@ def sign_chain_payload(
|
||||
wallet_service: ChainAwareWalletService = Depends(get_chain_aware_wallet_service)
|
||||
) -> WalletSignResponse:
|
||||
"""Sign a payload with a wallet in a specific blockchain chain"""
|
||||
# Validate chain_id to prevent path traversal
|
||||
import re
|
||||
CHAIN_ID_PATTERN = re.compile(r'^[a-zA-Z0-9_-]{3,30}$')
|
||||
|
||||
if not CHAIN_ID_PATTERN.match(chain_id):
|
||||
raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Invalid chain_id format")
|
||||
|
||||
_enforce_limit("wallet-sign", http_request, wallet_id)
|
||||
|
||||
try:
|
||||
@@ -389,6 +410,13 @@ def migrate_wallet(
|
||||
wallet_service: ChainAwareWalletService = Depends(get_chain_aware_wallet_service)
|
||||
) -> WalletMigrationResponse:
|
||||
"""Migrate a wallet from one chain to another"""
|
||||
# Validate chain_ids to prevent path traversal
|
||||
import re
|
||||
CHAIN_ID_PATTERN = re.compile(r'^[a-zA-Z0-9_-]{3,30}$')
|
||||
|
||||
if not CHAIN_ID_PATTERN.match(request.source_chain_id) or not CHAIN_ID_PATTERN.match(request.target_chain_id):
|
||||
raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Invalid chain_id format")
|
||||
|
||||
_enforce_limit("wallet-migrate", http_request)
|
||||
|
||||
success = wallet_service.migrate_wallet_between_chains(
|
||||
|
||||
Reference in New Issue
Block a user