145 lines
5.4 KiB
JavaScript
145 lines
5.4 KiB
JavaScript
/**
|
|
* V3 Security Module
|
|
*
|
|
* Comprehensive security module addressing all identified vulnerabilities:
|
|
* - CVE-2: Weak Password Hashing (password-hasher.ts)
|
|
* - CVE-3: Hardcoded Default Credentials (credential-generator.ts)
|
|
* - HIGH-1: Command Injection (safe-executor.ts)
|
|
* - HIGH-2: Path Traversal (path-validator.ts)
|
|
*
|
|
* Also provides:
|
|
* - Input validation with Zod schemas
|
|
* - Secure token generation
|
|
*
|
|
* @module v3/security
|
|
*/
|
|
// Password Hashing (CVE-2 Fix)
|
|
export { PasswordHasher, PasswordHashError, createPasswordHasher, } from './password-hasher.js';
|
|
// Credential Generation (CVE-3 Fix)
|
|
export { CredentialGenerator, CredentialGeneratorError, createCredentialGenerator, generateCredentials, } from './credential-generator.js';
|
|
// Safe Command Execution (HIGH-1 Fix)
|
|
export { SafeExecutor, SafeExecutorError, createDevelopmentExecutor, createReadOnlyExecutor, } from './safe-executor.js';
|
|
// Path Validation (HIGH-2 Fix)
|
|
export { PathValidator, PathValidatorError, createProjectPathValidator, createFullProjectPathValidator, } from './path-validator.js';
|
|
// Input Validation
|
|
export { InputValidator, sanitizeString, sanitizeHtml, sanitizePath,
|
|
// Base schemas
|
|
SafeStringSchema, IdentifierSchema, FilenameSchema, EmailSchema, PasswordSchema, UUIDSchema, HttpsUrlSchema, UrlSchema, SemverSchema, PortSchema, IPv4Schema, IPSchema,
|
|
// Auth schemas
|
|
UserRoleSchema, PermissionSchema, LoginRequestSchema, CreateUserSchema, CreateApiKeySchema,
|
|
// Agent & Task schemas
|
|
AgentTypeSchema, SpawnAgentSchema, TaskInputSchema,
|
|
// Command & Path schemas
|
|
CommandArgumentSchema, PathSchema,
|
|
// Config schemas
|
|
SecurityConfigSchema, ExecutorConfigSchema,
|
|
// Utilities
|
|
PATTERNS, LIMITS, z, } from './input-validator.js';
|
|
// Token Generation
|
|
export { TokenGenerator, TokenGeneratorError, createTokenGenerator, getDefaultGenerator, quickGenerate, } from './token-generator.js';
|
|
// ============================================================================
|
|
// Convenience Factory Functions
|
|
// ============================================================================
|
|
import { PasswordHasher } from './password-hasher.js';
|
|
import { CredentialGenerator } from './credential-generator.js';
|
|
import { SafeExecutor } from './safe-executor.js';
|
|
import { PathValidator } from './path-validator.js';
|
|
import { TokenGenerator } from './token-generator.js';
|
|
/**
|
|
* Creates a complete security module with all components configured.
|
|
*
|
|
* @param config - Module configuration
|
|
* @returns Complete security module
|
|
*
|
|
* @example
|
|
* ```typescript
|
|
* const security = createSecurityModule({
|
|
* projectRoot: '/workspaces/project',
|
|
* hmacSecret: process.env.HMAC_SECRET!,
|
|
* });
|
|
*
|
|
* // Hash password
|
|
* const hash = await security.passwordHasher.hash('password');
|
|
*
|
|
* // Validate path
|
|
* const result = await security.pathValidator.validate('/workspaces/project/src/file.ts');
|
|
*
|
|
* // Execute command safely
|
|
* const output = await security.safeExecutor.execute('git', ['status']);
|
|
* ```
|
|
*/
|
|
export function createSecurityModule(config) {
|
|
return {
|
|
passwordHasher: new PasswordHasher({
|
|
rounds: config.bcryptRounds ?? 12,
|
|
}),
|
|
credentialGenerator: new CredentialGenerator(),
|
|
safeExecutor: new SafeExecutor({
|
|
allowedCommands: config.allowedCommands ?? ['git', 'npm', 'npx', 'node'],
|
|
}),
|
|
pathValidator: new PathValidator({
|
|
allowedPrefixes: [config.projectRoot],
|
|
allowHidden: true,
|
|
}),
|
|
tokenGenerator: new TokenGenerator({
|
|
hmacSecret: config.hmacSecret,
|
|
}),
|
|
};
|
|
}
|
|
// ============================================================================
|
|
// Security Constants
|
|
// ============================================================================
|
|
/**
|
|
* Minimum recommended bcrypt rounds for production
|
|
*/
|
|
export const MIN_BCRYPT_ROUNDS = 12;
|
|
/**
|
|
* Maximum recommended bcrypt rounds (performance consideration)
|
|
*/
|
|
export const MAX_BCRYPT_ROUNDS = 14;
|
|
/**
|
|
* Minimum password length
|
|
*/
|
|
export const MIN_PASSWORD_LENGTH = 8;
|
|
/**
|
|
* Maximum password length (bcrypt limitation)
|
|
*/
|
|
export const MAX_PASSWORD_LENGTH = 72;
|
|
/**
|
|
* Default token expiration in seconds (1 hour)
|
|
*/
|
|
export const DEFAULT_TOKEN_EXPIRATION = 3600;
|
|
/**
|
|
* Default session expiration in seconds (24 hours)
|
|
*/
|
|
export const DEFAULT_SESSION_EXPIRATION = 86400;
|
|
// ============================================================================
|
|
// Security Audit Helper
|
|
// ============================================================================
|
|
/**
|
|
* Checks security configuration for common issues.
|
|
*
|
|
* @param config - Configuration to audit
|
|
* @returns Array of security warnings
|
|
*/
|
|
export function auditSecurityConfig(config) {
|
|
const warnings = [];
|
|
if (config.bcryptRounds && config.bcryptRounds < MIN_BCRYPT_ROUNDS) {
|
|
warnings.push(`bcryptRounds (${config.bcryptRounds}) below recommended minimum (${MIN_BCRYPT_ROUNDS})`);
|
|
}
|
|
if (config.hmacSecret && config.hmacSecret.length < 32) {
|
|
warnings.push('hmacSecret should be at least 32 characters');
|
|
}
|
|
if (!config.projectRoot) {
|
|
warnings.push('projectRoot not configured - path validation may be disabled');
|
|
}
|
|
if (config.allowedCommands && config.allowedCommands.length === 0) {
|
|
warnings.push('No commands allowed - executor will reject all commands');
|
|
}
|
|
return warnings;
|
|
}
|
|
/**
|
|
* Security module version
|
|
*/
|
|
export const SECURITY_MODULE_VERSION = '3.0.0-alpha.1';
|
|
//# sourceMappingURL=index.js.map
|