diff --git a/TASKS.md b/TASKS.md deleted file mode 100644 index a1a1492..0000000 --- a/TASKS.md +++ /dev/null @@ -1,73 +0,0 @@ -# Security Audit Tasks - -Audit date: 2026-02-08 -Scope: `Program.cs`, `Endpoints/*`, `Infrastructure/*`, `wwwroot/js/*`, deployment docs/config - -## Critical - -- None identified in this pass. - -## High - -- [x] Fix stored XSS in confirmation modal flows. - Evidence: `wwwroot/js/modals-ui.js:41`, `wwwroot/js/modals-ui.js:43`, `wwwroot/js/modals-ui.js:47`, `wwwroot/js/suggestions-ui.js:481`, `wwwroot/js/data.js:44`, `wwwroot/js/data.js:57`, `wwwroot/js/admin-ui.js:48`. - Risk: user-controlled names are injected into HTML and can execute script in other users' sessions (including admin interactions). - Tasks: - 1. Remove dynamic `innerHTML` for confirm modal title/body and render untrusted text with `textContent`. - 2. Stop interpolating untrusted values into HTML attributes (for example `data-name`); assign with DOM APIs. - 3. Add regression coverage for XSS payloads in suggestion names and player names. - -## Medium - -- [x] Add request-throttling and brute-force protection for authentication/admin-sensitive routes. - Evidence: `Endpoints/AuthEndpoints.cs:16`, `Endpoints/AuthEndpoints.cs:62`, `Program.cs:49`, `Program.cs:64` (no `AddRateLimiter` / `UseRateLimiter` configured). - Risk: password guessing and admin-key guessing are not rate-limited. - Tasks: - 1. Configure ASP.NET Core rate limiting policies for `/api/auth/*` and privileged admin routes. - 2. Add lockout/backoff telemetry and alerts for repeated failed auth attempts. - -- [x] Harden screenshot URL validation against SSRF bypass techniques. - Evidence: `Endpoints/SuggestionValidator.cs:13`, `Endpoints/EndpointHelpers.cs:143`, `Endpoints/EndpointHelpers.cs:233`, `Endpoints/EndpointHelpers.cs:262`. - Risk: DNS rebinding and incomplete private/reserved IP filtering can allow internal network probing via server-side HTTP fetches. - Tasks: - 1. Expand blocked address ranges (IPv4 reserved ranges, IPv6 ULA `fc00::/7`, etc.). - 2. Ensure the request is pinned to validated IPs (or use a safe egress proxy/allowlist). - 3. Add tests for loopback/private/reserved host bypass attempts. - -- [x] Add baseline HTTP security headers and enforce HTTPS policy. - Evidence: `Program.cs:68`, `Program.cs:77`, `Program.cs:90` (no app-level CSP/HSTS/`X-Content-Type-Options`/`X-Frame-Options`/`Referrer-Policy` middleware). - Risk: weaker browser-side mitigation for XSS/clickjacking/content-type sniffing and transport downgrade mistakes. - Tasks: - 1. Add explicit security headers in app middleware or IIS config. - 2. Enable HSTS in production and verify HTTPS redirection/termination settings. - 3. Add deployment checklist validation in `IIS.md`. - -- [x] Restrict accepted host headers. - Evidence: `appsettings.json:8`. - Risk: wildcard `AllowedHosts` can increase exposure to host-header abuse patterns. - Tasks: - 1. Replace `AllowedHosts: "*"` with explicit production hostnames. - 2. Add environment-specific config guidance for IIS deployments. - -## Low - -- [x] Strengthen credential policy and password hashing parameters. - Evidence: `Endpoints/AuthValidator.cs:24`, `Infrastructure/PasswordHasher.cs:9`. - Risk: weak user-selected passwords remain possible; PBKDF2 cost may become insufficient over time. - Tasks: - 1. Enforce minimum password length/quality checks. - 2. Review and periodically raise PBKDF2 iteration cost (or migrate to a stronger password hashing scheme). - -- [x] Reassess long-lived session defaults. - Evidence: `Program.cs:56`. - Risk: 30-day sliding cookie increases exposure window for stolen session cookies. - Tasks: - 1. Reduce expiration window for privileged sessions or apply step-up auth for destructive admin actions. - 2. Consider explicit idle timeout + absolute lifetime policy. - -- [x] Reevaluate permanent bootstrap-admin key behavior. - Evidence: `Endpoints/AuthEndpoints.cs:26`, `Endpoints/AuthEndpoints.cs:30`, `Endpoints/AuthEndpoints.cs:34`. - Risk: a leaked `ADMIN_PASSWORD` can be reused indefinitely to create new admin accounts. - Tasks: - 1. Limit bootstrap-admin creation to first-run or an explicit admin-only operation. - 2. Add audit logs for admin account creation attempts and successes.