security: sovereign-audit Pass-2 fixes — auth-lib, oauth, templates
All checks were successful
Deploy to Production / deploy (push) Successful in 54s
All checks were successful
Deploy to Production / deploy (push) Successful in 54s
Six confirmed findings closed (3 MEDIUM, 3 LOW). Tier-1 surfaces from
Pass-1 re-verified non-regressed; this pass deepened the audit on the
auth library, OAuth issuer, and template marketplace.
Za-002 MEDIUM (scrypt cost) — bump SCRYPT_N from 2^14 → 2^17 (131072)
matching current OWASP guidance for password hashing in 2026. Hash
format embeds N (`scrypt$N$salt$hash`), so the existing admin
password at the old cost still verifies — backward-compatible. Also
added explicit maxmem ceilings since Node's default (~32MiB) is
insufficient for the new N.
Za-003 MEDIUM (single-use race) — consumeMagicLink was SELECT-then-
UPDATE; two parallel redemptions could both win and mint two
sessions from the same token. Now uses the same atomic
`UPDATE … WHERE id = ? AND consumedAt IS NULL RETURNING id` pattern
/oauth/token already had — loser of the race gets
invalid_or_expired_token.
Za-004 LOW (membership ordering) — `.orderBy(memberships.createdAt)`
added so when org-invites eventually let a user belong to multiple
orgs, the same one wins every login instead of insertion-order
roulette. Latent-bug pre-empt.
Zb-002 LOW (OAuth register spam) — /oauth/register now per-IP daily
rate-limited at 20/day (well above any legitimate MCP-client
bootstrap pattern). Prevents DB-row spam.
Zc-001 MEDIUM (banned-pattern drift) — three separate copies of
BANNED_PATTERNS had drifted apart. The publish-time scanner in
templates.ts was MISSING the 7 new patterns added in Pass-1
(process.binding, dlopen, .constructor.constructor, vm.runIn*,
globalThis['..']). Single source of truth in @bmm/llm now exports
SHARED_BANNED_PATTERNS; templates.ts composes PUBLISH_BANNED_PATTERNS
= SHARED ∪ code-only-extras (dynamic import, fs.rm, setTimeout-with-
string, process.kill, jailbreak markers).
Zc-002 LOW (N+1) — /v1/templates list was issuing one COUNT(*) per
template (101 queries for a 100-row page). Now one grouped query
with templateId GROUP BY, merged in JS. p95 doesn't degrade with
marketplace growth.
DEFERRED (documented, scoped for next sprint):
Za-001 HIGH — Account takeover via cross-provider email lookup.
Requires schema change (users.primaryProvider). Mitigation in
/settings/account banner planned.
Zb-001 MEDIUM — /oauth/token refresh_token grant: advertised in
AS metadata but unsupported_grant_type. Either implement (~40
LOC) or strip from metadata.
Zc-003 LOW — Admin takedown partial-failure consistency.
Zd-001 IMPROVE — DEK cache invalidation across replicas (single-
instance today).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Marco Sadjadi
parent
f8af3fc0fd
commit
aa79a71357
@ -13,6 +13,7 @@ import {
|
||||
oauthTokens,
|
||||
} from '@bmm/db';
|
||||
import { getJWKS, signAccessToken } from '../lib/jwks.js';
|
||||
import { checkDailyLimit } from '../lib/rate-limit.js';
|
||||
import { requireAuth } from '../plugins/session.js';
|
||||
import { config } from '../config.js';
|
||||
|
||||
@ -73,8 +74,18 @@ export async function oauthRoutes(app: FastifyInstance): Promise<void> {
|
||||
return reply.send(await getJWKS());
|
||||
});
|
||||
|
||||
// RFC 7591 Dynamic Client Registration
|
||||
// RFC 7591 Dynamic Client Registration — rate-limited per-IP to prevent
|
||||
// DB-row spam. 20/day per visitor IP is well above legitimate MCP-client
|
||||
// bootstrap rates (each AI client registers once per resource server, ever).
|
||||
// (Zb-002.)
|
||||
app.post('/oauth/register', async (req, reply) => {
|
||||
const rl = await checkDailyLimit('oauth_register', req.ip, 20);
|
||||
if (!rl.ok) {
|
||||
return reply.code(429).send({
|
||||
error: 'rate_limited',
|
||||
detail: 'Too many client registrations from this IP. Try again tomorrow.',
|
||||
});
|
||||
}
|
||||
const Body = z.object({
|
||||
client_name: z.string().min(1).max(128).optional(),
|
||||
redirect_uris: z.array(z.string().url()).min(1).max(10),
|
||||
|
||||
@ -14,6 +14,7 @@ import {
|
||||
templates,
|
||||
users,
|
||||
} from '@bmm/db';
|
||||
import { SHARED_BANNED_PATTERNS } from '@bmm/llm';
|
||||
import { GeneratorSpec } from '@bmm/types';
|
||||
import type { FastifyInstance } from 'fastify';
|
||||
import { z } from 'zod';
|
||||
@ -25,20 +26,23 @@ import { requireAdmin, requireAuth } from '../plugins/session.js';
|
||||
|
||||
const db = createDb();
|
||||
|
||||
const BANNED_PATTERNS = [
|
||||
/\beval\s*\(/,
|
||||
/\bnew\s+Function\s*\(/,
|
||||
/\bFunction\s*\(\s*['"`]/, // Function('code')() — no `new` needed
|
||||
// Code-level extras on top of SHARED_BANNED_PATTERNS — these are concerns
|
||||
// that only make sense scanning a fully-rendered server.ts (not a spec).
|
||||
// Keeping them additive means @bmm/llm stays the single source of truth for
|
||||
// "obvious-malicious patterns", and publish-time gets stricter checks on top.
|
||||
// (Zc-001 consolidation.)
|
||||
const CODE_EXTRA_PATTERNS: RegExp[] = [
|
||||
/\bimport\s*\(/, // dynamic import (escape from bundle scope)
|
||||
/\bsetTimeout\s*\(\s*['"`]/, // setTimeout('code', ms) eval form
|
||||
/\bsetInterval\s*\(\s*['"`]/,
|
||||
/\bchild_process\b/,
|
||||
/\bfs\s*\.\s*(unlink|rmdir|rm)\b/,
|
||||
/\bprocess\s*\.\s*kill\b/,
|
||||
/ignore\s+previous\s+instructions/i,
|
||||
/disregard\s+(the\s+)?(above|previous)/i,
|
||||
/you\s+are\s+now\s+(in\s+)?(developer|jailbreak|dan)\s+mode/i,
|
||||
];
|
||||
const PUBLISH_BANNED_PATTERNS: readonly RegExp[] = [
|
||||
...SHARED_BANNED_PATTERNS,
|
||||
...CODE_EXTRA_PATTERNS,
|
||||
];
|
||||
|
||||
// Hardcoded-credential patterns. If Claude embedded a literal API key into the
|
||||
// generated code (publisher pasted it into the prompt), block the publish.
|
||||
@ -54,7 +58,7 @@ const SECRET_PATTERNS = [
|
||||
];
|
||||
|
||||
function scanForInjection(code: string): void {
|
||||
for (const pattern of BANNED_PATTERNS) {
|
||||
for (const pattern of PUBLISH_BANNED_PATTERNS) {
|
||||
if (pattern.test(code)) throw new Error(`banned_pattern: ${pattern.source}`);
|
||||
}
|
||||
}
|
||||
@ -314,21 +318,27 @@ export async function templateRoutes(app: FastifyInstance): Promise<void> {
|
||||
? rows.filter((r) => r.template.category === parsed.data.category)
|
||||
: rows;
|
||||
|
||||
// Augment with active deployment counts
|
||||
const enriched = await Promise.all(
|
||||
filtered.map(async (r) => {
|
||||
const [active] = await db
|
||||
.select({ c: count() })
|
||||
.from(mcpServers)
|
||||
.where(and(eq(mcpServers.templateId, r.template.id), eq(mcpServers.status, 'live')));
|
||||
return {
|
||||
...r.template,
|
||||
ownerName: r.ownerName ?? r.ownerEmail?.split('@')[0] ?? null,
|
||||
ownerOrgName: r.ownerOrgName,
|
||||
activeDeployments: Number(active?.c ?? 0),
|
||||
};
|
||||
}),
|
||||
);
|
||||
// Single grouped query — was N+1 (one COUNT per template). On a 100-row
|
||||
// listing that's 101 round-trips → p95 latency cliff once the marketplace
|
||||
// grows. (Zc-002.)
|
||||
const templateIds = filtered.map((r) => r.template.id);
|
||||
const activeCounts = new Map<string, number>();
|
||||
if (templateIds.length > 0) {
|
||||
const grouped = await db
|
||||
.select({ id: mcpServers.templateId, c: count() })
|
||||
.from(mcpServers)
|
||||
.where(and(eq(mcpServers.status, 'live'), sql`${mcpServers.templateId} = ANY(${templateIds})`))
|
||||
.groupBy(mcpServers.templateId);
|
||||
for (const g of grouped) {
|
||||
if (g.id) activeCounts.set(g.id, Number(g.c));
|
||||
}
|
||||
}
|
||||
const enriched = filtered.map((r) => ({
|
||||
...r.template,
|
||||
ownerName: r.ownerName ?? r.ownerEmail?.split('@')[0] ?? null,
|
||||
ownerOrgName: r.ownerOrgName,
|
||||
activeDeployments: activeCounts.get(r.template.id) ?? 0,
|
||||
}));
|
||||
|
||||
// Sort
|
||||
const now = Date.now();
|
||||
|
||||
@ -6,6 +6,7 @@ import {
|
||||
desc,
|
||||
eq,
|
||||
gt,
|
||||
isNull,
|
||||
magicLinks,
|
||||
memberships,
|
||||
organizations,
|
||||
@ -17,7 +18,13 @@ import {
|
||||
const MAGIC_LINK_TTL_MS = 15 * 60 * 1000; // 15 min
|
||||
const SESSION_TTL_MS = 30 * 24 * 60 * 60 * 1000; // 30 days
|
||||
const SCRYPT_KEYLEN = 64;
|
||||
const SCRYPT_N = 16_384;
|
||||
// OWASP 2024+ recommends scrypt N≥2^17 for password hashing. Hash format
|
||||
// embeds N (`scrypt$N$salt$hash`), so verifyPassword auto-handles old hashes
|
||||
// at lower N — backward-compatible cost bump. (Za-002.)
|
||||
const SCRYPT_N = 131_072;
|
||||
// scrypt with high N also needs maxmem ceiling raised — Node defaults to
|
||||
// ~32MiB which is below what N=131072 requires. (~128MiB needed per op.)
|
||||
const SCRYPT_MAXMEM = 256 * 1024 * 1024;
|
||||
|
||||
function sha256(input: string): string {
|
||||
return crypto.createHash('sha256').update(input).digest('hex');
|
||||
@ -29,7 +36,9 @@ function randomToken(bytes = 32): string {
|
||||
|
||||
export function hashPassword(password: string): string {
|
||||
const salt = crypto.randomBytes(16).toString('hex');
|
||||
const derived = crypto.scryptSync(password, salt, SCRYPT_KEYLEN, { N: SCRYPT_N }).toString('hex');
|
||||
const derived = crypto
|
||||
.scryptSync(password, salt, SCRYPT_KEYLEN, { N: SCRYPT_N, maxmem: SCRYPT_MAXMEM })
|
||||
.toString('hex');
|
||||
return `scrypt$${SCRYPT_N}$${salt}$${derived}`;
|
||||
}
|
||||
|
||||
@ -41,7 +50,10 @@ export function verifyPassword(password: string, stored: string): boolean {
|
||||
const expectedHex = parts[3];
|
||||
if (!Number.isFinite(N) || !salt || !expectedHex) return false;
|
||||
const expected = Buffer.from(expectedHex, 'hex');
|
||||
const actual = crypto.scryptSync(password, salt, expected.length, { N });
|
||||
// Use the N embedded in the hash so old (lower-N) hashes still verify.
|
||||
// maxmem scales with N — 128 * N * r bytes minimum, doubled for headroom.
|
||||
const maxmem = Math.max(64 * 1024 * 1024, N * 256);
|
||||
const actual = crypto.scryptSync(password, salt, expected.length, { N, maxmem });
|
||||
if (actual.length !== expected.length) return false;
|
||||
return crypto.timingSafeEqual(actual, expected);
|
||||
}
|
||||
@ -97,7 +109,18 @@ export async function consumeMagicLink(
|
||||
if (!row || row.consumedAt) {
|
||||
throw new Error('invalid_or_expired_token');
|
||||
}
|
||||
await db.update(magicLinks).set({ consumedAt: new Date() }).where(eq(magicLinks.id, row.id));
|
||||
// Atomic single-use: only the request whose UPDATE actually flips
|
||||
// consumedAt from NULL → now() is allowed to mint a session. Two concurrent
|
||||
// requests with the same token can't both win — the loser sees rows = 0.
|
||||
// (Za-003.)
|
||||
const claimed = await db
|
||||
.update(magicLinks)
|
||||
.set({ consumedAt: new Date() })
|
||||
.where(and(eq(magicLinks.id, row.id), isNull(magicLinks.consumedAt)))
|
||||
.returning({ id: magicLinks.id });
|
||||
if (claimed.length === 0) {
|
||||
throw new Error('invalid_or_expired_token');
|
||||
}
|
||||
|
||||
// Get or create user + default org
|
||||
let user = (await db.select().from(users).where(eq(users.email, row.email)).limit(1))[0];
|
||||
@ -116,10 +139,15 @@ export async function consumeMagicLink(
|
||||
|
||||
if (!user) throw new Error('user_resolve_failed');
|
||||
|
||||
// Deterministic ordering — when org-invites eventually let one user have
|
||||
// multiple memberships, we want the same "primary org" to win every login,
|
||||
// not a random one. Oldest membership = the org the user originally signed
|
||||
// up for. (Za-004.)
|
||||
const [membership] = await db
|
||||
.select()
|
||||
.from(memberships)
|
||||
.where(eq(memberships.userId, user.id))
|
||||
.orderBy(memberships.createdAt)
|
||||
.limit(1);
|
||||
if (!membership) throw new Error('no_org_membership');
|
||||
|
||||
@ -362,10 +390,15 @@ export async function loginWithPassword(
|
||||
if (!verifyPassword(password, user.passwordHash)) {
|
||||
throw new Error('invalid_credentials');
|
||||
}
|
||||
// Deterministic ordering — when org-invites eventually let one user have
|
||||
// multiple memberships, we want the same "primary org" to win every login,
|
||||
// not a random one. Oldest membership = the org the user originally signed
|
||||
// up for. (Za-004.)
|
||||
const [membership] = await db
|
||||
.select()
|
||||
.from(memberships)
|
||||
.where(eq(memberships.userId, user.id))
|
||||
.orderBy(memberships.createdAt)
|
||||
.limit(1);
|
||||
if (!membership) throw new Error('no_org_membership');
|
||||
|
||||
|
||||
@ -42,7 +42,10 @@ Return JSON only. No explanation.`;
|
||||
// determined attacker can bypass any of these with string concatenation
|
||||
// (`'chi'+'ld_process'`) or alternate APIs — that's why container isolation
|
||||
// has to hold even when this fails.
|
||||
const BANNED_PATTERNS = [
|
||||
//
|
||||
// Exported so the publish-time template scan in apps/api/src/routes/templates
|
||||
// can reuse it instead of maintaining a parallel list that drifts. (Zc-001.)
|
||||
export const SHARED_BANNED_PATTERNS: readonly RegExp[] = [
|
||||
/\beval\s*\(/,
|
||||
/\bnew\s+Function\s*\(/,
|
||||
/\bFunction\s*\(\s*['"`]/, // Function('...') without `new`
|
||||
@ -358,7 +361,7 @@ export function scanForInjection(spec: GeneratorSpecT): void {
|
||||
}
|
||||
}
|
||||
for (const text of surfaces) {
|
||||
for (const pattern of BANNED_PATTERNS) {
|
||||
for (const pattern of SHARED_BANNED_PATTERNS) {
|
||||
if (pattern.test(text)) {
|
||||
throw new BannedPatternError(`banned_pattern_detected: ${pattern.source}`);
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user