CalvinBackup/Shadowbroker
1
0
Fork 0
mirror of https://github.com/BigBodyCobain/Shadowbroker.git synced 2026-05-27 17:42:29 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
87ba70acd6ea0770ba446b0766f7970172e9e107
Shadowbroker/backend/tests/test_sentinel_token_cache.py
T
Shadowbroker d00c63abed [security] Close tg12 audit gaps #192, #198, #199, #200 (#260) 
External security audit by @tg12 (May 17, 2026) filed 11 issues against
the backend. PR #227 (May 18, AI-generated) closed seven of them by
adding require_local_operator to control-plane endpoints. Four remained
live; this PR closes the rest.

  #192 — CCTV proxy followed redirects without re-validating host

  Issue: /api/cctv/media validated only the caller-supplied URL host
  before passing it to requests.get(..., allow_redirects=True). A 302
  to http://127.0.0.1 or any internal/disallowed host was silently
  followed, turning the proxy into an open-redirect-to-SSRF chain.

  Fix in routers/cctv.py: replace the single allow_redirects=True call
  with a manual follow loop. Each hop's Location is parsed, the host is
  rerun through _cctv_host_allowed(), and non-HTTP schemes (file://,
  ftp://, etc.) are rejected. Cap chain length at 5 hops.

  Test: backend/tests/test_cctv_redirect_ssrf.py covers
    - redirect to disallowed host -> 502
    - redirect to localhost -> 502
    - redirect to another allowed host -> 200
    - redirect chain length cap
    - non-HTTP scheme rejected

  #198 — Gate introspection GETs were unauthenticated

  Issue: /api/wormhole/gate/{gate_id}/{identity,personas,key} were
  callable with no auth dependency. Any caller that could reach the
  backend could dump the operator's active persona, persona inventory,
  and key status for any gate_id they knew. The wiki's privacy threat
  model explicitly markets gate personas as rotating, unlinkable
  pseudonyms — this leak defeated that property.

  Fix in routers/wormhole.py: add
  dependencies=[Depends(require_local_operator)] to all three routes.

  Test: backend/tests/test_control_surface_auth.py extended with
  three new parameterized cases (lines 75-77).

  #199 — GDELT military incident ingestion used plaintext HTTP

  Issue: backend/services/geopolitics.py fetched
  http://data.gdeltproject.org/gdeltv2/lastupdate.txt and ~48 export
  archive URLs over plaintext HTTP. Passive observers could identify
  Shadowbroker nodes from the fetch pattern. Active MITM could inject
  doctored military incident records into the global map.

  Fix in services/geopolitics.py: rewrite the lastupdate.txt fetch and
  the export download URL constructor to use https://. GDELT's
  data.gdeltproject.org serves the same content over HTTPS.

  Test: backend/tests/test_gdelt_https.py asserts no plaintext HTTP
  URLs to data.gdeltproject.org remain in code (comments excluded) and
  that the HTTPS URLs we expect are present.

  #200 — Sentinel token cache lookup used client_id only

  Issue: routers/tools.py kept a process-global cache of Copernicus
  bearer tokens. The lookup compared
  _sh_token_cache["client_id"] == client_id. A caller who knew a valid
  client_id but supplied any wrong client_secret hit the cache and
  reused the legitimate caller's bearer token — burning their quota
  and accessing imagery on their account.

  Fix in routers/tools.py: replace the client_id field with
  credential_fp, an HMAC-SHA256 over (client_id, client_secret) under
  a per-process random key (_SH_TOKEN_CACHE_HMAC_KEY = os.urandom(32),
  regenerated at startup). A caller who doesn't know the secret cannot
  compute a matching fingerprint, so they miss the cache and hit the
  real Copernicus token endpoint — which will reject their wrong
  secret with a 401.

  Test: backend/tests/test_sentinel_token_cache.py covers
    - same client_id + different secrets => different fingerprints
    - same credentials => same fingerprint (cache still works)
    - different client_ids + same secret => different fingerprints
    - cache no longer stores raw client_id (catches regression)
    - attacker with wrong secret cannot reuse victim's token

Validation
  pytest backend/tests/test_control_surface_auth.py
         backend/tests/test_cctv_redirect_ssrf.py
         backend/tests/test_gdelt_https.py
         backend/tests/test_sentinel_token_cache.py
  -> 37 passed

Credit: @tg12 reported all four of these in their May 17 audit with
correct line-number citations and accurate remediation recommendations.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-20 14:45:11 -06:00

60 lines
2.5 KiB
Python
Raw Blame History

"""Issue #200 (tg12): Sentinel token cache must require knowledge of the
client secret to hit, not just client_id.
Before this fix, the cache lookup was ``_sh_token_cache["client_id"] ==
client_id``. A caller who knew a valid client_id but supplied any secret
would hit the cache and reuse the original caller's bearer token, burning
their Copernicus quota and accessing imagery on their account.
After the fix, the cache key is an HMAC of ``(client_id, client_secret)``
under a per-process random key, so two callers with the same client_id but
different secrets compute different fingerprints and miss each other's
cache entries.
"""
from routers.tools import _credential_fingerprint, _sh_token_cache
def test_same_client_id_different_secrets_yield_different_fingerprints():
fp_a = _credential_fingerprint("client-id-X", "secret-A")
fp_b = _credential_fingerprint("client-id-X", "secret-B")
assert fp_a != fp_b
def test_same_credentials_yield_same_fingerprint():
"""The cache is still useful — same caller hits its own entry."""
fp1 = _credential_fingerprint("client-id-X", "secret-A")
fp2 = _credential_fingerprint("client-id-X", "secret-A")
assert fp1 == fp2
def test_different_client_ids_yield_different_fingerprints():
fp_a = _credential_fingerprint("client-id-A", "shared-secret")
fp_b = _credential_fingerprint("client-id-B", "shared-secret")
assert fp_a != fp_b
def test_cache_lookup_key_field_renamed():
"""Catch accidental reintroduction of the client_id-only lookup."""
# If a future commit re-adds `_sh_token_cache["client_id"]` we want this
# test to fail loudly. The new schema only stores `credential_fp`.
assert "client_id" not in _sh_token_cache
assert "credential_fp" in _sh_token_cache
def test_attacker_with_wrong_secret_misses_cache(monkeypatch):
"""An attacker with valid client_id but wrong secret cannot hit the cache."""
# Populate cache as if a legitimate caller just succeeded.
legit_fp = _credential_fingerprint("legit-client", "legit-secret")
_sh_token_cache["token"] = "VICTIM-BEARER-TOKEN"
_sh_token_cache["credential_fp"] = legit_fp
_sh_token_cache["expiry"] = 10**12 # far future
# Attacker arrives with the same client_id but the wrong secret.
attacker_fp = _credential_fingerprint("legit-client", "wrong-secret")
assert attacker_fp != legit_fp
# Reset cache for hygiene between tests.
_sh_token_cache["token"] = None
_sh_token_cache["credential_fp"] = ""
_sh_token_cache["expiry"] = 0
Reference in New Issue View Git Blame Copy Permalink