anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): close MEDIUM ASVS findings — JWT pinning, SSE tickets, SSRF, mTLS pin, rate limits + correctness bugs

Browse Source 
Auth (V2.1.1/V3.1.2, V2.1.3, V3.1.1):
- Pin JWT iss/aud/typ at mint and require+verify them at decode; revocation
  (jti denylist + tokens_valid_from) still enforced.
- Change-password now requires min_length=12.
- SSE auth moves off JWT-in-URL to a single-use 60s opaque ticket
  (POST /auth/sse-ticket); raw JWT in query no longer authenticates a stream.
  Removed dead fail-open get_stream_user helper.

Egress (V5.1.1, V9.1.1/V14.1.3):
- Webhook delivery + CRUD reject SSRF destinations (private/loopback/link-local/
  metadata, IPv4-mapped, multi-A-record) via resolved-IP validation, pin to the
  vetted IP, and never auto-follow redirects. Opt-out via DECNET_WEBHOOK_ALLOW_PRIVATE.
- UpdaterClient pins the worker leaf cert SHA-256 against the stored per-host
  fingerprint (fail closed on missing/mismatch); DECNET_VERIFY_HOSTNAME now
  defaults True.

Hardening (V13.1.3, V4.1.4, V13.1.2):
- Rate-limit change-password (5/min), enroll-bundle (10/min), webhook-create
  (20/min), host-delete (20/min) via the existing slowapi limiter.
- Correct false 'global auth middleware' comment; document enroll-bundle proxy
  trust.

Correctness (BUG-7..11):
- BUG-7 unbound bus in finally; BUG-8 apply_ceiling clamps to min(base,ceiling);
  BUG-9 commit before emit; BUG-10 multi-actor rearm for sub-threshold identities;
  BUG-11 normalize naive timestamps to UTC.

Already-closed (no change): V14.1.1, V2.1.2/V3.1.3, V5.1.2. Tests added for
every fix; unanimous adversarial review.
This commit is contained in:
anti
2026-06-10 12:32:15 -04:00
parent 6a8af315fb
commit d80e6aa6d1
37 changed files with 1414 additions and 121 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
decnet/env.py
View File

@@ -204,13 +204,26 @@ _cors_raw: str = os.environ.get("DECNET_CORS_ORIGINS", _cors_default)
DECNET_CORS_ORIGINS: list[str] = [o.strip() for o in _cors_raw.split(",") if o.strip()]
# Master→worker mTLS hostname verification. Off by default because legacy
# enrollments were issued certs with operator-supplied SAN lists that may
# not match the URL the master uses to connect; set to "true" on a fresh
# production deploy where you control enrollment to get TLS hostname checks
# on top of CA + fingerprint pinning.
# Master→worker mTLS hostname verification. ON by default — the worker's
# cert SAN must match the address the master connects to, on top of CA +
# SHA-256 fingerprint pinning. Operators with legacy enrollments whose
# operator-supplied SAN lists don't match the connect URL can opt OUT
# explicitly with DECNET_VERIFY_HOSTNAME=false, but that is a downgrade:
# it drops SAN binding and leans entirely on CA + per-host pinning.
DECNET_VERIFY_HOSTNAME: bool = (
os.environ.get("DECNET_VERIFY_HOSTNAME", "false").lower() == "true"
os.environ.get("DECNET_VERIFY_HOSTNAME", "true").lower() == "true"
)
# Webhook egress SSRF guard. By default DECNET refuses to deliver a webhook
# to a private (RFC1918), loopback, link-local (incl. 169.254.169.254 cloud
# metadata), unspecified, reserved, or multicast destination, and rejects
# such URLs at registration time. Operators who genuinely need to target an
# internal receiver (e.g. an on-box SIEM) opt IN explicitly by setting
# DECNET_WEBHOOK_ALLOW_PRIVATE=true. Fails closed: anything other than the
# literal "true" leaves the guard fully enabled.
DECNET_WEBHOOK_ALLOW_PRIVATE: bool = (
os.environ.get("DECNET_WEBHOOK_ALLOW_PRIVATE", "false").lower() == "true"
)