public/simple-object-server
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

test: Add 4 and update 6 files
All checks were successful
Build-Test-Publish / build (linux/amd64) (push) Successful in 1m23s
Details
Build-Test-Publish / build (linux/arm64) (push) Successful in 2m21s
Details
Build-Test-Publish / create-manifest (push) Successful in 12s
Details

Browse Source
This commit is contained in:
Your Name
2025-08-10 23:31:41 +12:00
parent 22d4af7ac8
commit baa215e762
10 changed files with 978 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
SECURITY_REVIEW.md
View File

@@ -59,19 +59,33 @@ This comprehensive security review analyzes the Simple Object Server C++23 appli
- `Permissions-Policy` - Disables unnecessary browser features
- Note: HSTS header commented out by default (requires HTTPS configuration)
### 5. **Insufficient Input Validation**
- **Location**: Multiple endpoints (put_handler.cpp, update_handler.cpp)
- **Risk**: HIGH - Limited validation of input data
- **Issues**:
- No maximum length validation for label:tag pairs
- Limited JSON schema validation for metadata
- No sanitization of special characters in labels/tags
- File names from uploads used without proper sanitization
- **Recommendation**:
- Implement comprehensive input validation schemas
- Add length limits for all string inputs (e.g., max 255 chars for labels)
- Validate against allowed character sets (alphanumeric + limited special chars)
- Sanitize all user inputs before processing
### 5. **~~Insufficient Input Validation~~ [FIXED]**
- **Location**: Multiple endpoints (put_handler.cpp, update_handler.cpp, server.cpp)
- **Risk**: ~~HIGH~~ RESOLVED - Comprehensive input validation now implemented
- **Fix Implemented**:
- Created `validation.hpp/cpp` with InputValidator class
- Validates all user inputs with strict rules (no sanitization/repair):
- **Label:tag validation**:
- Max 255 chars each component
- Must start with alphanumeric
- Only allows alphanumeric, dash, underscore, dot
- Enforces single colon separator
- Prevents duplicates, limits to 100 per object
- **Metadata validation**:
- Max 1MB total size
- Field names must start with letter/underscore
- Field values max 4096 chars
- Max nesting depth of 5 levels
- Arrays limited to 1000 elements
- **Filename validation**:
- Max 255 chars
- Blocks directory traversal attempts
- Rejects null bytes and control characters
- Blocks Windows reserved names
- **Hash validation**:
- Must be exactly 64 hex chars (SHA-256)
- Integrated validation in all endpoints that accept user input
- Created comprehensive test suite (`test_input_validation.sh`)
## Medium-Risk Issues