Skip to content

security: fix audit findings (HMAC bypass, DoS, unauth APIs, hardening)#6

Merged
noisyloop merged 1 commit into
mainfrom
claude/security-audit-AUXx6
May 17, 2026
Merged

security: fix audit findings (HMAC bypass, DoS, unauth APIs, hardening)#6
noisyloop merged 1 commit into
mainfrom
claude/security-audit-AUXx6

Conversation

@noisyloop

@noisyloop noisyloop commented May 17, 2026
edited
Loading

Copy link
Copy Markdown
Owner

Summary

Fixes the issues found in a full security review of the codebase. 16 files changed; cargo check/test/clippy -D warnings/fmt --check and cargo metadata --locked all pass.

Critical

  • HMAC auth bypass (ioc_feed.rs) — removed the hardcoded glasswally_dev_key fallback that let anyone forge signed cross-provider IOC bundles (poisoning the shared trust channel → cross-provider suspension of innocent IPs/accounts). Keys must now be ≥32 bytes; signing/verify fail closed.

High

  • Unbounded-memory DoS (http_reconstruct.rs) — cap per-request buffer (1 MiB), connection map (8192), and Content-Length; drop stray continuations. A monitored client can no longer OOM the daemon by never completing a request.
  • Unauthenticated query API (grpc_api.rs) — optional constant-time shared-secret auth, 256-connection cap, read timeouts.
  • Metrics endpoint (otel.rs) — concurrent-connection cap + write timeout.
  • Over-privileged container (docker-compose.yml) — dropped privileged: true for the eBPF service in favour of the minimal capability set + no-new-privileges + memlock ulimit; all published ports bound to loopback.

Medium

  • --mode ebpf now hard-fails instead of silently tailing a file (was a false sense of security); real loader wired under the live-ebpf feature.
  • Defaults moved off world-writable /tmp; output dir forced to 0700 (CWE-377/CWE-59).
  • Fixed invalid compose CLI flags that prevented container startup; Grafana now requires GRAFANA_ADMIN_PASSWORD and disables anonymous access.
  • Truncated fingerprints/account-id widened 64→128-bit and cluster fan-out capped (512) to resist clustering/collision poisoning and algorithmic-complexity DoS.
  • Watermark detect() requires a larger sample + phase resync, reducing false positives and surviving desync.

Low

  • Fixed NaN-panic sorts, unaligned RawSslEvent read (read_unaligned), oversized JSONL line handling.
  • Removed unused (cryptographically broken) md5 dependency; added a cargo-audit RUSTSEC scan job to CI.

Test plan

  • cargo check -p glasswally -p xtask
  • cargo test -p glasswally
  • cargo clippy -p glasswally -- -D warnings
  • cargo fmt -p glasswally -- --check
  • cargo metadata --locked (Docker --locked build stays consistent after md5 removal)
  • Manual: run eBPF service with the new minimal capability set on a Linux 5.8+ host
  • Manual: confirm gateway integration with auth_token set on the query API

@claude
security: fix audit findings (HMAC bypass, DoS, unauth APIs, hardening)
7fe8daf 
Addresses the issues from the security review:

Critical
- ioc_feed: remove hardcoded "glasswally_dev_key" HMAC fallback that
  allowed forging signed cross-provider IOC bundles; require >=32-byte
  keys and fail closed on verify.

High
- http_reconstruct: cap per-request buffer (1 MiB), connection map
  (8192) and Content-Length to stop unbounded-memory DoS from a
  monitored client that never completes a request.
- grpc_api: add optional constant-time shared-secret auth, a
  connection-concurrency cap, and read timeouts.
- otel: bound concurrent /metrics scrape connections + write timeout.
- docker-compose: drop `privileged: true` for the eBPF service in
  favour of the minimal capability set + no-new-privileges; bind all
  published ports to loopback.

Medium
- main: `--mode ebpf` now hard-fails instead of silently tailing a
  file (was a false sense of security); real loader wired under the
  live-ebpf feature.
- defaults moved off world-writable /tmp; output dir locked to 0700.
- docker-compose: fix invalid CLI flags that prevented startup;
  require GRAFANA_ADMIN_PASSWORD and disable anonymous access.
- widen truncated fingerprints/account-id to 128-bit and cap cluster
  fan-out to resist clustering/collision poisoning + algorithmic DoS.
- watermark detect: require larger sample + phase-resync, fewer FPs.

Low
- fix NaN-panic sorts, unaligned RawSslEvent read, oversized JSONL
  lines; remove unused (broken) md5 dep; add cargo-audit CI job.
@noisyloop noisyloop merged commit e53f674 into main May 17, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@noisyloop @claude