fix(security): close LOW ASVS findings — env bypass, SSE/deployment authz, CN fail-close, password byte-limit, exception leaks, BUG-12..16

Auth/session (V2.1.7, V4.1.5, V4.1.6, V2.1.4/V2.1.5): - env secret validation no longer bypassed by attacker-injectable PYTEST* env; gated on explicit DECNET_TESTING=1 (set only in conftest). - must_change_password now enforced on the SSE header-JWT path, not just ticket mint. - GET /system/deployment-mode requires viewer auth (was leaking role + topology size). - CreateUser/ResetUser passwords min_length=12; passwords >72 bytes rejected explicitly instead of bcrypt silently truncating. Swarm ingestion (V9.1.3, BUG-16): - Log listener hard-rejects peers with unparseable/empty cert CN (fail closed, ingests nothing) instead of tagging 'unknown'. - Shutdown handlers no longer swallow real errors (narrowed to CancelledError). Info leakage (V7.1.2, V14.1.2): - Exception text sanitized on swarm-update, health, tarpit, realism, file-drop, blank-topology endpoints (raw tc/docker stderr, DB/Docker errors logged server-side, generic detail returned). pyproject license corrected to AGPL-3.0. Correctness (BUG-12..16): - BUG-12 atomic credential upsert (UNIQUE constraint + IntegrityError retry, consistent principal_key canonicalization). - BUG-13 rule-tail watermark uses >= with seen-id dedup (no same-second drop). - BUG-14 worker wake cleared before wait (no lost wake during tick). - BUG-15 intel gather tolerates an unexpected provider raise. - BUG-16 see above. Already-closed (verified, no change): V2.1.6, V5.1.3, V9.1.2. Accept-risk + documented: V2.1.8 cache window, V3.1.3 idle timeout. Tests added for every fix; unanimous adversarial review after two refute-fix rounds.
2026-06-10 13:27:14 -04:00
parent d80e6aa6d1
commit 245975a6dd
40 changed files with 1629 additions and 72 deletions
--- a/decnet/web/db/models/auth.py
+++ b/decnet/web/db/models/auth.py
@@ -3,10 +3,18 @@
 from datetime import datetime, timezone
 from typing import List, Literal, Optional

-from pydantic import BaseModel, Field as PydanticField
+from pydantic import BaseModel, Field as PydanticField, field_validator
 from sqlmodel import Field, SQLModel


+def _reject_over_72_bytes(v: str) -> str:
+    """bcrypt silently truncates at 72 bytes; reject instead to avoid
+    collision/confusion between passwords that share a 72-byte prefix."""
+    if len(v.encode("utf-8")) > 72:
+        raise ValueError("password must not exceed 72 UTF-8 bytes (bcrypt limit)")
+    return v
+
+
 class User(SQLModel, table=True):
    __tablename__ = "users"
    uuid: str = Field(primary_key=True)
@@ -55,6 +63,11 @@ class ChangePasswordRequest(BaseModel):
    # floor a seeded admin could clear must_change_password with a 1-char secret.
    new_password: str = PydanticField(..., min_length=12, max_length=72)

+    @field_validator("old_password", "new_password", mode="after")
+    @classmethod
+    def _check_byte_limit(cls, v: str) -> str:
+        return _reject_over_72_bytes(v)
+

 class SSETicketResponse(BaseModel):
    """Single-use, short-lived opaque ticket the dashboard exchanges its header
@@ -68,16 +81,26 @@ class SSETicketResponse(BaseModel):

 class CreateUserRequest(BaseModel):
    username: str = PydanticField(..., min_length=1, max_length=64)
-    password: str = PydanticField(..., min_length=8, max_length=72)
+    password: str = PydanticField(..., min_length=12, max_length=72)
    role: Literal["admin", "viewer"] = "viewer"

+    @field_validator("password", mode="after")
+    @classmethod
+    def _check_byte_limit(cls, v: str) -> str:
+        return _reject_over_72_bytes(v)
+

 class UpdateUserRoleRequest(BaseModel):
    role: Literal["admin", "viewer"]


 class ResetUserPasswordRequest(BaseModel):
-    new_password: str = PydanticField(..., min_length=8, max_length=72)
+    new_password: str = PydanticField(..., min_length=12, max_length=72)
+
+    @field_validator("new_password", mode="after")
+    @classmethod
+    def _check_byte_limit(cls, v: str) -> str:
+        return _reject_over_72_bytes(v)


 class DeploymentLimitRequest(BaseModel):
--- a/decnet/web/db/models/logs.py
+++ b/decnet/web/db/models/logs.py
@@ -67,6 +67,16 @@ class Credential(SQLModel, table=True):
    __table_args__ = (
        Index("ix_credentials_secret_service", "secret_sha256", "service"),
        Index("ix_credentials_principal_service", "principal", "service"),
+        # Dedup constraint: same (attacker_ip, decky, service, secret_kind,
+        # secret_sha256, principal_key) → one row.  ``principal_key`` is
+        # the non-null canonical form of ``principal`` (empty string when
+        # principal is NULL) so the constraint is UNIQUE-safe under SQLite's
+        # NULL-distinct behaviour and MySQL's standard UNIQUE semantics.
+        UniqueConstraint(
+            "attacker_ip", "decky_name", "service",
+            "secret_kind", "secret_sha256", "principal_key",
+            name="uq_credentials_dedup",
+        ),
    )
    id: Optional[int] = Field(default=None, primary_key=True)
    # Keyed by attacker IP (not attackers.uuid) on the write path to
@@ -81,6 +91,11 @@ class Credential(SQLModel, table=True):
    decky_name: str = Field(index=True)
    service: str = Field(index=True)
    principal: Optional[str] = Field(default=None, index=True, max_length=256)
+    # Non-null canonical form of ``principal`` used in ``uq_credentials_dedup``.
+    # Empty string when ``principal`` is NULL so the UNIQUE constraint behaves
+    # correctly under SQLite's NULL-distinct semantics (same pattern as
+    # ``CredentialReuse.principal_key``).
+    principal_key: str = Field(default="", max_length=256)
    # Discriminator for what `secret_b64` actually contains. Default
    # ``"plaintext"`` — a recoverable password the attacker sent on the
    # wire (SSH/Telnet/FTP/IMAP/POP3/SMTP/Redis/LDAP/MQTT). Other kinds:
--- a/decnet/web/db/sqlmodel_repo/credentials/_core.py
+++ b/decnet/web/db/sqlmodel_repo/credentials/_core.py
@@ -7,6 +7,7 @@ from datetime import datetime, timezone
 from typing import Any, List, Optional

 from sqlalchemy import desc, func, or_, select, update
+from sqlalchemy.exc import IntegrityError
 from sqlmodel import col
 from sqlmodel.sql.expression import SelectOfScalar

@@ -31,18 +32,32 @@ class CredentialsCoreMixin(_MixinBase):
            payload["fields"] = json.dumps(payload["fields"], ensure_ascii=True)

        principal = payload.get("principal")
+        # Non-null canonical form used by the uq_credentials_dedup constraint
+        # AND by the dedup SELECT — both MUST key on the SAME value or the
+        # SELECT can miss a row that the constraint then collides on
+        # (e.g. principal=None and principal="" both canonicalize to ""):
+        # the SELECT would treat them as distinct, INSERT, hit IntegrityError,
+        # then re-SELECT with the wrong filter and re-raise. ``principal or ""``
+        # collapses None and "" identically — mirrors CredentialReuse and the
+        # constraint key. (BUG-12: canonicalization must not diverge.)
+        principal_key = principal or ""
        secret_kind = payload.get("secret_kind") or "plaintext"
-        async with self._session() as session:
-            stmt = select(Credential).where(
+
+        def _build_dedup_filter():
+            return (
                Credential.attacker_ip == payload["attacker_ip"],
                Credential.decky_name == payload["decky_name"],
                Credential.service == payload["service"],
                Credential.secret_kind == secret_kind,
                Credential.secret_sha256 == payload["secret_sha256"],
-                # NULL == NULL is False under SQL — branch the predicate.
-                (Credential.principal == principal) if principal is not None
-                else col(Credential.principal).is_(None),
+                # Key the SELECT on principal_key — the SAME canonical value
+                # the UNIQUE constraint uses — so SELECT and constraint never
+                # disagree about which rows collide.
+                Credential.principal_key == principal_key,
            )
+
+        async with self._session() as session:
+            stmt = select(Credential).where(*_build_dedup_filter())
            existing = (await session.execute(stmt)).scalar_one_or_none()
            now = datetime.now(timezone.utc)
            if existing is not None:
@@ -58,6 +73,7 @@ class CredentialsCoreMixin(_MixinBase):
                decky_name=payload["decky_name"],
                service=payload["service"],
                principal=principal,
+                principal_key=principal_key,
                secret_kind=secret_kind,
                secret_sha256=payload["secret_sha256"],
                secret_b64=payload.get("secret_b64"),
@@ -69,7 +85,25 @@ class CredentialsCoreMixin(_MixinBase):
                attempt_count=1,
            )
            session.add(row)
-            await session.commit()
+            try:
+                await session.commit()
+            except IntegrityError:
+                # Concurrent upsert for the same dedup key beat us — re-SELECT
+                # the winner row and increment its counter in a fresh session.
+                await session.rollback()
+                async with self._session() as session2:
+                    stmt2 = select(Credential).where(*_build_dedup_filter())
+                    existing2 = (await session2.execute(stmt2)).scalar_one_or_none()
+                    if existing2 is None:
+                        # Extremely unlikely (e.g. deleted between races); bail.
+                        raise
+                    existing2.attempt_count = (existing2.attempt_count or 1) + 1
+                    existing2.last_seen = now
+                    if payload.get("outcome") is not None:
+                        existing2.outcome = payload["outcome"]
+                    session2.add(existing2)
+                    await session2.commit()
+                    return existing2.id
            await session.refresh(row)
            return row.id  # type: ignore[return-value]