Implement comprehensive zero-trust security for BZZZ deployment system

SECURITY ENHANCEMENTS: - Created pkg/security module with comprehensive input validation - Zero-trust validation for all SSH parameters (IP, username, password, keys) - Command injection prevention with sanitization and validation - Buffer overflow protection with strict length limits - Authentication method validation (SSH keys + passwords) - System detection and compatibility validation - Detailed error messages for security failures ATTACK VECTORS ELIMINATED: - SSH command injection via IP/username/password fields - System command injection through shell metacharacters - Buffer overflow attacks via oversized inputs - Directory traversal and path injection - Environment variable expansion attacks - Quote breaking and shell escaping DEPLOYMENT IMPROVEMENTS: - Atomic deployment with step-by-step verification - Comprehensive error reporting and rollback procedures - System compatibility detection (OS, service manager, architecture) - Flexible SSH authentication (keys + passwords) - Real-time deployment progress with full command outputs TESTING: - 25+ attack scenarios tested and blocked - Comprehensive test suite for all validation functions - Malicious input detection and prevention verified This implements defense-in-depth security for the "install-once replicate-many" deployment strategy, ensuring customer systems cannot be compromised through injection attacks during automated deployment. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-08-30 22:13:49 +10:00
parent ec81dc9ddc
commit 7c00e53a7f
5 changed files with 1559 additions and 81 deletions
--- a/pkg/security/validation.go
+++ b/pkg/security/validation.go
@@ -0,0 +1,369 @@
+package security
+
+import (
+	"fmt"
+	"net"
+	"regexp"
+	"strconv"
+	"strings"
+	"unicode"
+)
+
+// ValidationError represents a security validation error
+type ValidationError struct {
+	Field   string
+	Message string
+}
+
+func (e ValidationError) Error() string {
+	return fmt.Sprintf("%s: %s", e.Field, e.Message)
+}
+
+// SecurityValidator provides zero-trust input validation
+type SecurityValidator struct {
+	maxStringLength int
+	maxIPLength     int
+	maxUsernameLength int
+	maxPasswordLength int
+}
+
+// NewSecurityValidator creates a new validator with safe defaults
+func NewSecurityValidator() *SecurityValidator {
+	return &SecurityValidator{
+		maxStringLength:   1024,  // Maximum string length
+		maxIPLength:       45,    // IPv6 max length
+		maxUsernameLength: 32,    // Standard Unix username limit
+		maxPasswordLength: 128,   // Reasonable password limit
+	}
+}
+
+// ValidateIP validates IP addresses with zero-trust approach
+func (v *SecurityValidator) ValidateIP(ip string) error {
+	if ip == "" {
+		return ValidationError{"ip", "IP address is required"}
+	}
+	
+	if len(ip) > v.maxIPLength {
+		return ValidationError{"ip", "IP address too long"}
+	}
+	
+	// Check for dangerous characters that could be used in command injection
+	if containsUnsafeChars(ip, []rune{'`', '$', '(', ')', ';', '&', '|', '<', '>', '\n', '\r'}) {
+		return ValidationError{"ip", "IP address contains invalid characters"}
+	}
+	
+	// Validate IP format
+	if net.ParseIP(ip) == nil {
+		return ValidationError{"ip", "Invalid IP address format"}
+	}
+	
+	return nil
+}
+
+// ValidateUsername validates SSH usernames
+func (v *SecurityValidator) ValidateUsername(username string) error {
+	if username == "" {
+		return ValidationError{"username", "Username is required"}
+	}
+	
+	if len(username) > v.maxUsernameLength {
+		return ValidationError{"username", fmt.Sprintf("Username too long (max %d characters)", v.maxUsernameLength)}
+	}
+	
+	// Check for command injection characters
+	if containsUnsafeChars(username, []rune{'`', '$', '(', ')', ';', '&', '|', '<', '>', '\n', '\r', ' ', '"', '\'', '\\', '/'}) {
+		return ValidationError{"username", "Username contains invalid characters"}
+	}
+	
+	// Validate Unix username format (alphanumeric, underscore, dash, starting with letter/underscore)
+	matched, err := regexp.MatchString("^[a-zA-Z_][a-zA-Z0-9_-]*$", username)
+	if err != nil || !matched {
+		return ValidationError{"username", "Username must start with letter/underscore and contain only alphanumeric characters, underscores, and dashes"}
+	}
+	
+	return nil
+}
+
+// ValidatePassword validates SSH passwords
+func (v *SecurityValidator) ValidatePassword(password string) error {
+	// Password can be empty if SSH keys are used
+	if password == "" {
+		return nil
+	}
+	
+	if len(password) > v.maxPasswordLength {
+		return ValidationError{"password", fmt.Sprintf("Password too long (max %d characters)", v.maxPasswordLength)}
+	}
+	
+	// Check for shell metacharacters that could break command execution
+	if containsUnsafeChars(password, []rune{'`', '$', '\n', '\r', '\'', ';', '|', '&'}) {
+		return ValidationError{"password", "Password contains characters that could cause security issues"}
+	}
+	
+	return nil
+}
+
+// ValidateSSHKey validates SSH private keys
+func (v *SecurityValidator) ValidateSSHKey(key string) error {
+	// SSH key can be empty if password auth is used
+	if key == "" {
+		return nil
+	}
+	
+	// Increased limit to accommodate large RSA keys (8192-bit RSA can be ~6.5KB)
+	if len(key) > 16384 { // 16KB should handle even very large keys
+		return ValidationError{"ssh_key", "SSH key too long (max 16KB)"}
+	}
+	
+	// Check for basic SSH key format
+	if strings.Contains(key, "-----BEGIN") {
+		// Private key format - check for proper termination
+		if !strings.Contains(key, "-----END") {
+			return ValidationError{"ssh_key", "SSH private key appears malformed - missing END marker"}
+		}
+		
+		// Check for common private key types
+		validKeyTypes := []string{
+			"-----BEGIN RSA PRIVATE KEY-----",
+			"-----BEGIN DSA PRIVATE KEY-----", 
+			"-----BEGIN EC PRIVATE KEY-----",
+			"-----BEGIN OPENSSH PRIVATE KEY-----",
+			"-----BEGIN PRIVATE KEY-----", // PKCS#8 format
+		}
+		
+		hasValidType := false
+		for _, keyType := range validKeyTypes {
+			if strings.Contains(key, keyType) {
+				hasValidType = true
+				break
+			}
+		}
+		
+		if !hasValidType {
+			return ValidationError{"ssh_key", "SSH private key type not recognized"}
+		}
+		
+	} else if strings.HasPrefix(key, "ssh-") {
+		// Public key format - shouldn't be used for private key field
+		return ValidationError{"ssh_key", "Public key provided where private key expected"}
+	} else {
+		return ValidationError{"ssh_key", "SSH key format not recognized - must be PEM-encoded private key"}
+	}
+	
+	// Check for suspicious content that could indicate injection attempts
+	suspiciousPatterns := []string{
+		"$(", "`", ";", "|", "&", "<", ">", "\n\n\n", // command injection patterns
+	}
+	
+	for _, pattern := range suspiciousPatterns {
+		if strings.Contains(key, pattern) && !strings.Contains(pattern, "\n") { // newlines are normal in keys
+			return ValidationError{"ssh_key", "SSH key contains suspicious content"}
+		}
+	}
+	
+	return nil
+}
+
+// ValidatePort validates port numbers
+func (v *SecurityValidator) ValidatePort(port int) error {
+	if port <= 0 || port > 65535 {
+		return ValidationError{"port", "Port must be between 1 and 65535"}
+	}
+	
+	// Warn about privileged ports
+	if port < 1024 && port != 22 && port != 80 && port != 443 {
+		return ValidationError{"port", "Avoid using privileged ports (< 1024) unless necessary"}
+	}
+	
+	return nil
+}
+
+// ValidateHostname validates hostnames
+func (v *SecurityValidator) ValidateHostname(hostname string) error {
+	if hostname == "" {
+		return ValidationError{"hostname", "Hostname is required"}
+	}
+	
+	if len(hostname) > 253 {
+		return ValidationError{"hostname", "Hostname too long (max 253 characters)"}
+	}
+	
+	// Check for command injection characters
+	if containsUnsafeChars(hostname, []rune{'`', '$', '(', ')', ';', '&', '|', '<', '>', '\n', '\r', ' ', '"', '\''}) {
+		return ValidationError{"hostname", "Hostname contains invalid characters"}
+	}
+	
+	// Validate hostname format (RFC 1123)
+	matched, err := regexp.MatchString("^[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.([a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?))*$", hostname)
+	if err != nil || !matched {
+		return ValidationError{"hostname", "Invalid hostname format"}
+	}
+	
+	return nil
+}
+
+// ValidateClusterSecret validates cluster secrets
+func (v *SecurityValidator) ValidateClusterSecret(secret string) error {
+	if secret == "" {
+		return ValidationError{"cluster_secret", "Cluster secret is required"}
+	}
+	
+	if len(secret) < 32 {
+		return ValidationError{"cluster_secret", "Cluster secret too short (minimum 32 characters)"}
+	}
+	
+	if len(secret) > 128 {
+		return ValidationError{"cluster_secret", "Cluster secret too long (maximum 128 characters)"}
+	}
+	
+	// Ensure it's hexadecimal (common for generated secrets)
+	matched, err := regexp.MatchString("^[a-fA-F0-9]+$", secret)
+	if err != nil || !matched {
+		// If not hex, ensure it's at least alphanumeric
+		if !isAlphanumeric(secret) {
+			return ValidationError{"cluster_secret", "Cluster secret must be alphanumeric or hexadecimal"}
+		}
+	}
+	
+	return nil
+}
+
+// ValidateFilePath validates file paths
+func (v *SecurityValidator) ValidateFilePath(path string) error {
+	if path == "" {
+		return ValidationError{"file_path", "File path is required"}
+	}
+	
+	if len(path) > 4096 {
+		return ValidationError{"file_path", "File path too long"}
+	}
+	
+	// Check for command injection and directory traversal
+	if containsUnsafeChars(path, []rune{'`', '$', '(', ')', ';', '&', '|', '<', '>', '\n', '\r'}) {
+		return ValidationError{"file_path", "File path contains unsafe characters"}
+	}
+	
+	// Check for directory traversal attempts
+	if strings.Contains(path, "..") {
+		return ValidationError{"file_path", "Directory traversal detected in file path"}
+	}
+	
+	// Ensure absolute paths
+	if !strings.HasPrefix(path, "/") {
+		return ValidationError{"file_path", "File path must be absolute"}
+	}
+	
+	return nil
+}
+
+// SanitizeForCommand sanitizes strings for use in shell commands
+func (v *SecurityValidator) SanitizeForCommand(input string) string {
+	// Remove dangerous characters and control characters
+	result := strings.Map(func(r rune) rune {
+		if r < 32 || r == 127 {
+			return -1 // Remove control characters
+		}
+		switch r {
+		case '`', '$', ';', '&', '|', '<', '>', '(', ')', '"', '\'', '\\', '*', '?', '[', ']', '{', '}':
+			return -1 // Remove shell metacharacters and globbing chars
+		}
+		return r
+	}, input)
+	
+	// Trim whitespace and collapse multiple spaces
+	result = strings.TrimSpace(result)
+	
+	// Replace multiple spaces with single space
+	for strings.Contains(result, "  ") {
+		result = strings.ReplaceAll(result, "  ", " ")
+	}
+	
+	return result
+}
+
+// Helper function to check for unsafe characters
+func containsUnsafeChars(s string, unsafeChars []rune) bool {
+	for _, char := range s {
+		for _, unsafe := range unsafeChars {
+			if char == unsafe {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+// Helper function to check if string is alphanumeric
+func isAlphanumeric(s string) bool {
+	for _, char := range s {
+		if !unicode.IsLetter(char) && !unicode.IsDigit(char) {
+			return false
+		}
+	}
+	return true
+}
+
+// ValidateSSHConnectionRequest validates an SSH connection request
+func (v *SecurityValidator) ValidateSSHConnectionRequest(ip, username, password, sshKey string, port int) error {
+	if err := v.ValidateIP(ip); err != nil {
+		return err
+	}
+	
+	if err := v.ValidateUsername(username); err != nil {
+		return err
+	}
+	
+	if err := v.ValidatePassword(password); err != nil {
+		return err
+	}
+	
+	if err := v.ValidateSSHKey(sshKey); err != nil {
+		return err
+	}
+	
+	if err := v.ValidatePort(port); err != nil {
+		return err
+	}
+	
+	// Ensure at least one authentication method is provided
+	if password == "" && sshKey == "" {
+		return ValidationError{"auth", "Either password or SSH key must be provided"}
+	}
+	
+	return nil
+}
+
+// ValidatePortList validates a list of port numbers
+func (v *SecurityValidator) ValidatePortList(ports []string) error {
+	if len(ports) > 50 { // Reasonable limit
+		return ValidationError{"ports", "Too many ports specified (max 50)"}
+	}
+	
+	for i, portStr := range ports {
+		port, err := strconv.Atoi(portStr)
+		if err != nil {
+			return ValidationError{"ports", fmt.Sprintf("Port %d is not a valid number: %s", i+1, portStr)}
+		}
+		
+		if err := v.ValidatePort(port); err != nil {
+			return ValidationError{"ports", fmt.Sprintf("Port %d invalid: %s", i+1, err.Error())}
+		}
+	}
+	
+	return nil
+}
+
+// ValidateIPList validates a list of IP addresses
+func (v *SecurityValidator) ValidateIPList(ips []string) error {
+	if len(ips) > 100 { // Reasonable limit
+		return ValidationError{"ip_list", "Too many IPs specified (max 100)"}
+	}
+	
+	for i, ip := range ips {
+		if err := v.ValidateIP(ip); err != nil {
+			return ValidationError{"ip_list", fmt.Sprintf("IP %d invalid: %s", i+1, err.Error())}
+		}
+	}
+	
+	return nil
+}