Skip to content

Security and Bug Fixes#104

Merged
asdek merged 3 commits intovxcontrol:masterfrom
mrigankad:fix/security-and-bugs
Feb 21, 2026
Merged

Security and Bug Fixes#104
asdek merged 3 commits intovxcontrol:masterfrom
mrigankad:fix/security-and-bugs

Conversation

@mrigankad
Copy link
Copy Markdown
Contributor

@mrigankad mrigankad commented Feb 20, 2026

PR Summary: 🔒 Security Hardening and Critical Bug Fixes

Overview

This PR addresses several security vulnerabilities and critical bugs identified in the authentication service, session management, and external tool integrations. The fixes range from preventing DoS attacks to correcting broken access control logic (ACL).

Key Changes

🛡️ Security Fixes

  • Issue 8: DoS Prevention in parseState()
    • Added a strict length check for stateJSON before attempting to slice the signature. This prevents a runtime panic when processing malformed or intentionally short input.
  • Issue 5: CSRF Protection in OAuth Callbacks
    • Updated AuthLoginGetCallback to validate the state parameter against the stored session cookie, closing a CSRF gap in the GET handler.
  • Issue 7: Cookie Security
    • Enforced SameSite=Lax for all session and callback cookies to mitigate CSRF risks.
  • Issue 1: Password Policy Enforcement
    • Added server-side validation to block login if a user has PasswordChangeRequired set to true, ensuring the policy is enforced before any session is granted.

🛠️ Critical Bug Fixes

  • Issue 11: Broken ACL Correction
    • Removed trailing typos (single quotes) in all 7 privilege strings (e.g., "users.view'""users.view"). These typos previously caused all permission checks to fail silently.
  • Issue 6: Session Expiry Enforcement
    • Updated the authentication middleware to verify the exp claim. Sessions are now correctly invalidated as soon as they expire, even outside the /info route.
  • Issue 9: HTTP Client Timeout
    • Added a 30-second timeout to the browser tool's scraper client to prevent indefinite hangs that could lead to resource exhaustion.

Impact

  • Security: Strengthened mitigation against DoS, CSRF, and unauthorized access.
  • Stability: Fixed a panic in auth state parsing and prevented hung processes in the browser tool.
  • Reliability: Restored functional RBAC/ACL checks which were broken due to string constants.

Checklist

  • Malformed short input for state does not cause panic.
  • CSRF state is validated for both GET and POST callbacks.
  • Cookies include the SameSite attribute.
  • Privilege strings match the database entries exactly.
  • Expired session cookies return HTTP 403.
  • Browser tool requests timeout correctly.

@mrigankad
Security and Bug Fixes
8c1f5e7 
Fixes Applied:

Issue 8 — parseState() panic (DoS)
- backend/pkg/server/services/auth.go:614-622 — moved the len(stateJSON) <= signatureLen bounds check before the slice stateJSON[:signatureLen], eliminating the panic on malformed short input.

Issue 11 — Authorization string typos (broken ACL)
- backend/pkg/server/services/users.go — removed trailing ' from all 7 privilege strings ("users.view'" → "users.view", and same for create, edit, delete). These typos caused every privilege check to silently fail.
- backend/pkg/server/services/roles.go — same fix for "roles.view'".

Issue 5 — OAuth GET callback missing state validation (CSRF)
- backend/pkg/server/services/auth.go:327-332 — AuthLoginGetCallback now validates the state query param against the session cookie value, matching the POST handler's behavior.

Issue 6 — Session expiry not enforced in middleware
- backend/pkg/server/auth/auth_middleware.go:102-109 — tryUserCookieAuthentication now checks time.Now().Unix() > exp and returns authResultFail for expired sessions, not just the /info route.

Issue 7 — Missing SameSite cookie attribute
- backend/pkg/server/services/auth.go — added SameSite: http.SameSiteLaxMode to all four sessions.Options{} blocks and the http.Cookie in setCallbackCookie.

Issue 1 (partial) — password_change_required not enforced server-side
- backend/pkg/server/response/errors.go — added ErrAuthPasswordChangeRequired (HTTP 403).
- backend/pkg/server/services/auth.go:125-129 — AuthLogin now returns 403 when user.PasswordChangeRequired == true, blocking login until the password is changed.

Issue 9 — Browser tool HTTP client has no timeout
- backend/pkg/tools/browser.go:425-428 — added Timeout: 30 * time.Second to the http.Client in callScraper, preventing indefinite hangs.
asdek
asdek requested changes Feb 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@asdek asdek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you for this PR but there are some cases to fix from your side to accept it

asdek
asdek approved these changes Feb 21, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@asdek asdek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
tnx!

@asdek asdek merged commit 77ab518 into vxcontrol:master Feb 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@asdek asdek asdek approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mrigankad @asdek