XF/GIA
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

Harden security

Browse Source
This commit is contained in:
Mark Veidemanis
2026-03-05 05:42:19 +00:00
parent 06735bdfb1
commit 438e561da0
75 changed files with 6260 additions and 278 deletions
Download Patch File Download Diff File Expand all files Collapse all files

410
artifacts/audits/3-second-pass-fix.json Normal file
View File

@@ -0,0 +1,410 @@
{
"score": 74,
"grade": "C",
"gradeLabel": "Fix before shipping",
"totalFindings": 10,
"totalDepVulns": 0,
"categories": {
"secrets": {
"label": "Secrets",
"findingCount": 0,
"deduction": 0,
"counts": {
"critical": 0,
"high": 0,
"medium": 0,
"low": 0
}
},
"injection": {
"label": "Code Vulnerabilities",
"findingCount": 0,
"deduction": 0,
"counts": {
"critical": 0,
"high": 0,
"medium": 0,
"low": 0
}
},
"deps": {
"label": "Dependencies",
"findingCount": 0,
"deduction": 0,
"counts": {
"critical": 0,
"high": 0,
"medium": 0,
"low": 0
}
},
"auth": {
"label": "Auth & Access Control",
"findingCount": 0,
"deduction": 0,
"counts": {
"critical": 0,
"high": 0,
"medium": 0,
"low": 0
}
},
"config": {
"label": "Configuration",
"findingCount": 1,
"deduction": 8,
"counts": {
"critical": 0,
"high": 1,
"medium": 0,
"low": 0
}
},
"supply-chain": {
"label": "Supply Chain",
"findingCount": 0,
"deduction": 0,
"counts": {
"critical": 0,
"high": 0,
"medium": 0,
"low": 0
}
},
"api": {
"label": "API Security",
"findingCount": 1,
"deduction": 8,
"counts": {
"critical": 0,
"high": 1,
"medium": 0,
"low": 0
}
},
"llm": {
"label": "AI/LLM Security",
"findingCount": 8,
"deduction": 10,
"counts": {
"critical": 0,
"high": 0,
"medium": 8,
"low": 0
}
}
},
"findings": [
{
"file": "/code/xf/GIA/Dockerfile",
"line": 26,
"severity": "high",
"category": "config",
"rule": "DOCKER_RUN_AS_ROOT",
"title": "Docker: Running as Root",
"description": "No USER instruction found. Container runs as root by default.",
"fix": "Add USER nonroot before CMD/ENTRYPOINT",
"cwe": "CWE-250",
"owasp": "A05:2021"
},
{
"file": "/code/xf/GIA/core/security/attachments.py",
"line": 113,
"severity": "high",
"category": "api",
"rule": "API_UPLOAD_NO_TYPE_CHECK",
"title": "API: File Upload Without Type Validation",
"description": "File upload using original filename without type validation.",
"fix": "Validate file extension and MIME type. Generate random filenames for storage.",
"cwe": "CWE-434",
"owasp": "A04:2021"
},
{
"file": "/code/xf/GIA/core/views/osint.py",
"line": 775,
"severity": "medium",
"category": "llm",
"rule": "LLM_RAG_NO_VALIDATION",
"title": "RAG Pipeline Without Input Validation",
"description": "User input passed directly to vector search/embedding without validation.",
"fix": "Validate and sanitize input before embedding. Limit query length.",
"cwe": "CWE-20",
"owasp": "LLM08"
},
{
"file": "/code/xf/GIA/core/views/osint.py",
"line": 781,
"severity": "medium",
"category": "llm",
"rule": "LLM_RAG_NO_VALIDATION",
"title": "RAG Pipeline Without Input Validation",
"description": "User input passed directly to vector search/embedding without validation.",
"fix": "Validate and sanitize input before embedding. Limit query length.",
"cwe": "CWE-20",
"owasp": "LLM08"
},
{
"file": "/code/xf/GIA/core/views/osint.py",
"line": 795,
"severity": "medium",
"category": "llm",
"rule": "LLM_RAG_NO_VALIDATION",
"title": "RAG Pipeline Without Input Validation",
"description": "User input passed directly to vector search/embedding without validation.",
"fix": "Validate and sanitize input before embedding. Limit query length.",
"cwe": "CWE-20",
"owasp": "LLM08"
},
{
"file": "/code/xf/GIA/core/views/osint.py",
"line": 1418,
"severity": "medium",
"category": "llm",
"rule": "LLM_RAG_NO_VALIDATION",
"title": "RAG Pipeline Without Input Validation",
"description": "User input passed directly to vector search/embedding without validation.",
"fix": "Validate and sanitize input before embedding. Limit query length.",
"cwe": "CWE-20",
"owasp": "LLM08"
},
{
"file": "/code/xf/GIA/core/views/osint.py",
"line": 1424,
"severity": "medium",
"category": "llm",
"rule": "LLM_RAG_NO_VALIDATION",
"title": "RAG Pipeline Without Input Validation",
"description": "User input passed directly to vector search/embedding without validation.",
"fix": "Validate and sanitize input before embedding. Limit query length.",
"cwe": "CWE-20",
"owasp": "LLM08"
},
{
"file": "/code/xf/GIA/core/views/osint.py",
"line": 1438,
"severity": "medium",
"category": "llm",
"rule": "LLM_RAG_NO_VALIDATION",
"title": "RAG Pipeline Without Input Validation",
"description": "User input passed directly to vector search/embedding without validation.",
"fix": "Validate and sanitize input before embedding. Limit query length.",
"cwe": "CWE-20",
"owasp": "LLM08"
},
{
"file": "/code/xf/GIA/core/views/signal.py",
"line": 202,
"severity": "medium",
"category": "llm",
"rule": "LLM_NO_OUTPUT_FILTER",
"title": "LLM Output Without Filtering",
"description": "LLM output used directly without filtering. May contain sensitive info or hallucinations.",
"fix": "Filter LLM output before displaying: remove PII, validate against expected format",
"cwe": "CWE-200",
"owasp": "LLM02"
},
{
"file": "/code/xf/GIA/core/views/signal.py",
"line": 211,
"severity": "medium",
"category": "llm",
"rule": "LLM_NO_OUTPUT_FILTER",
"title": "LLM Output Without Filtering",
"description": "LLM output used directly without filtering. May contain sensitive info or hallucinations.",
"fix": "Filter LLM output before displaying: remove PII, validate against expected format",
"cwe": "CWE-200",
"owasp": "LLM02"
}
],
"depVulns": [],
"remediationPlan": [
{
"priority": 1,
"severity": "high",
"category": "config",
"categoryLabel": "CONFIGURATION",
"title": "Docker: Running as Root",
"file": "Dockerfile:26",
"action": "Add USER nonroot before CMD/ENTRYPOINT",
"effort": "low"
},
{
"priority": 2,
"severity": "high",
"category": "api",
"categoryLabel": "API SECURITY",
"title": "API: File Upload Without Type Validation",
"file": "core/security/attachments.py:113",
"action": "Validate file extension and MIME type. Generate random filenames for storage.",
"effort": "medium"
},
{
"priority": 3,
"severity": "medium",
"category": "llm",
"categoryLabel": "AI/LLM SECURITY",
"title": "RAG Pipeline Without Input Validation",
"file": "core/views/osint.py:775",
"action": "Validate and sanitize input before embedding. Limit query length.",
"effort": "high"
},
{
"priority": 4,
"severity": "medium",
"category": "llm",
"categoryLabel": "AI/LLM SECURITY",
"title": "RAG Pipeline Without Input Validation",
"file": "core/views/osint.py:781",
"action": "Validate and sanitize input before embedding. Limit query length.",
"effort": "high"
},
{
"priority": 5,
"severity": "medium",
"category": "llm",
"categoryLabel": "AI/LLM SECURITY",
"title": "RAG Pipeline Without Input Validation",
"file": "core/views/osint.py:795",
"action": "Validate and sanitize input before embedding. Limit query length.",
"effort": "high"
},
{
"priority": 6,
"severity": "medium",
"category": "llm",
"categoryLabel": "AI/LLM SECURITY",
"title": "RAG Pipeline Without Input Validation",
"file": "core/views/osint.py:1418",
"action": "Validate and sanitize input before embedding. Limit query length.",
"effort": "high"
},
{
"priority": 7,
"severity": "medium",
"category": "llm",
"categoryLabel": "AI/LLM SECURITY",
"title": "RAG Pipeline Without Input Validation",
"file": "core/views/osint.py:1424",
"action": "Validate and sanitize input before embedding. Limit query length.",
"effort": "high"
},
{
"priority": 8,
"severity": "medium",
"category": "llm",
"categoryLabel": "AI/LLM SECURITY",
"title": "RAG Pipeline Without Input Validation",
"file": "core/views/osint.py:1438",
"action": "Validate and sanitize input before embedding. Limit query length.",
"effort": "high"
},
{
"priority": 9,
"severity": "medium",
"category": "llm",
"categoryLabel": "AI/LLM SECURITY",
"title": "LLM Output Without Filtering",
"file": "core/views/signal.py:202",
"action": "Filter LLM output before displaying: remove PII, validate against expected format",
"effort": "high"
},
{
"priority": 10,
"severity": "medium",
"category": "llm",
"categoryLabel": "AI/LLM SECURITY",
"title": "LLM Output Without Filtering",
"file": "core/views/signal.py:211",
"action": "Filter LLM output before displaying: remove PII, validate against expected format",
"effort": "high"
}
],
"recon": {
"frameworks": [
"django"
],
"languages": [
"python"
],
"apiRoutes": [
"app/urls.py",
"core/management/commands/backfill_xmpp_attachment_urls.py"
],
"authPatterns": [],
"databases": [],
"cloudProviders": [],
"frontendExposure": [],
"packageManagers": [
"pip"
],
"cicd": [],
"hasDockerfile": true,
"hasTerraform": false,
"hasKubernetes": false,
"envFiles": [],
"configFiles": []
},
"agents": [
{
"agent": "InjectionTester",
"category": "injection",
"findingCount": 0,
"success": true
},
{
"agent": "AuthBypassAgent",
"category": "auth",
"findingCount": 0,
"success": true
},
{
"agent": "SSRFProber",
"category": "ssrf",
"findingCount": 0,
"success": true
},
{
"agent": "SupplyChainAudit",
"category": "supply-chain",
"findingCount": 0,
"success": true
},
{
"agent": "ConfigAuditor",
"category": "config",
"findingCount": 1,
"success": true
},
{
"agent": "LLMRedTeam",
"category": "llm",
"findingCount": 8,
"success": true
},
{
"agent": "MobileScanner",
"category": "mobile",
"findingCount": 0,
"success": true
},
{
"agent": "GitHistoryScanner",
"category": "history",
"findingCount": 0,
"success": true
},
{
"agent": "CICDScanner",
"category": "cicd",
"findingCount": 0,
"success": true
},
{
"agent": "APIFuzzer",
"category": "api",
"findingCount": 1,
"success": true
}
]
}