botserver/SECURITY_TASKS.md

# Security Audit Tasks - botserver

**Priority:** CRITICAL
**Auditor Focus:** Rust Security Best Practices
**Last Updated:** All major security infrastructure completed


---

## ✅ COMPLETED - Security Infrastructure Added

### SQL Injection Protection ✅ DONE
**Module:** `src/security/sql_guard.rs`

- Table whitelist validation (`validate_table_name()`)
- Safe query builders (`build_safe_select_query()`, `build_safe_count_query()`, `build_safe_delete_query()`)
- SQL injection pattern detection (`check_for_injection_patterns()`)
- Order column/direction validation
- Applied to `db_api.rs` handlers

### Command Injection Protection ✅ DONE
**Module:** `src/security/command_guard.rs`

- Command whitelist (only allowed: pdftotext, pandoc, nvidia-smi, clamscan, etc.)
- Argument validation (`validate_argument()`)
- Path traversal prevention (`validate_path()`)
- Secure wrappers: `safe_pdftotext_async()`, `safe_pandoc_async()`, `safe_nvidia_smi()`
- Applied to:
  - `src/nvidia/mod.rs` - GPU monitoring
  - `src/core/kb/document_processor.rs` - PDF/DOCX extraction
  - `src/security/antivirus.rs` - ClamAV scanning

### Secrets Management ✅ DONE
**Module:** `src/security/secrets.rs`

- `SecretString` - Zeroizing string wrapper with redacted Debug/Display
- `SecretBytes` - Zeroizing byte vector wrapper
- `ApiKey` - Provider-aware API key storage with masking
- `DatabaseCredentials` - Safe connection string handling
- `JwtSecret` - Algorithm-aware JWT secret storage
- `SecretsStore` - Centralized secrets container
- `redact_sensitive_data()` - Log sanitization helper
- `is_sensitive_key()` - Key name detection

### Input Validation ✅ DONE
**Module:** `src/security/validation.rs`

- Email, URL, UUID, phone validation
- Username/password strength validation
- Length and range validation
- HTML/XSS sanitization
- Script injection detection
- Fluent `Validator` builder pattern

### Rate Limiting ✅ DONE
**Module:** `src/security/rate_limiter.rs`

- Global rate limiter using `governor` crate
- Per-IP rate limiting with automatic cleanup
- Configurable presets: `default()`, `strict()`, `relaxed()`, `api()`
- Middleware integration ready
- Applied to main router in `src/main.rs`

### Security Headers ✅ DONE
**Module:** `src/security/headers.rs`

- Content-Security-Policy (CSP)
- X-Frame-Options: DENY
- X-Content-Type-Options: nosniff
- X-XSS-Protection
- Strict-Transport-Security (HSTS)
- Referrer-Policy
- Permissions-Policy
- Cache-Control
- CSP builder for custom policies
- Applied to main router in `src/main.rs`

### CORS Configuration ✅ DONE (NEW)
**Module:** `src/security/cors.rs`

- Hardened CORS configuration (no more wildcard `*` in production)
- Environment-based configuration via `CORS_ALLOWED_ORIGINS`
- Development mode with localhost origins allowed
- Production mode with strict origin validation
- `CorsConfig` builder with presets: `production()`, `development()`, `api()`
- `OriginValidator` for dynamic origin checking
- Pattern matching for subdomain wildcards
- Dangerous pattern detection in origins
- Applied to main router in `src/main.rs`

### Authentication & RBAC ✅ DONE (NEW)
**Module:** `src/security/auth.rs`

- Role-based access control (RBAC) with `Role` enum
- Permission system with `Permission` enum
- `AuthenticatedUser` with:
  - User ID, username, email
  - Multiple roles support
  - Bot and organization access control
  - Session tracking
  - Metadata storage
- `AuthConfig` for configurable authentication:
  - JWT secret support
  - API key header configuration
  - Session cookie support
  - Public and anonymous path configuration
- `AuthError` with proper HTTP status codes
- Middleware functions:
  - `auth_middleware` - Main authentication middleware
  - `require_auth_middleware` - Require authenticated user
  - `require_permission_middleware` - Check specific permission
  - `require_role_middleware` - Check specific role
  - `admin_only_middleware` - Admin-only access
- Synchronous token/session validation (ready for DB integration)

### Panic Handler ✅ DONE (NEW)
**Module:** `src/security/panic_handler.rs`

- Global panic hook (`set_global_panic_hook()`)
- Panic-catching middleware (`panic_handler_middleware`)
- Configuration presets: `production()`, `development()`
- Safe 500 responses (no stack traces to clients)
- Panic logging with request context
- `catch_panic()` and `catch_panic_async()` utilities
- `PanicGuard` for scoped panic tracking
- Applied to main router in `src/main.rs`

### Path Traversal Protection ✅ DONE (NEW)
**Module:** `src/security/path_guard.rs`

- `PathGuard` with configurable validation
- `PathGuardConfig` with presets: `strict()`, `permissive()`
- Path traversal detection (`..` sequences)
- Null byte injection prevention
- Hidden file blocking (configurable)
- Extension whitelist/blacklist
- Maximum path depth and length limits
- Symlink blocking (configurable)
- Safe path joining (`join_safe()`)
- Safe canonicalization (`canonicalize_safe()`)
- Filename sanitization (`sanitize_filename()`)
- Dangerous pattern detection

### Request ID Tracking ✅ DONE (NEW)
**Module:** `src/security/request_id.rs`

- Unique request ID generation (UUID v4)
- Request ID extraction from headers
- Correlation ID support
- Configurable header names
- Tracing span integration
- Response header propagation
- Request sequence counter
- Applied to main router in `src/main.rs`

### Error Message Sanitization ✅ DONE (NEW)
**Module:** `src/security/error_sanitizer.rs`

- `SafeErrorResponse` with standard error format
- Factory methods for common errors
- `ErrorSanitizer` with sensitive data detection
- Automatic redaction of:
  - Passwords, tokens, API keys
  - Connection strings
  - File paths
  - IP addresses
  - Stack traces
- Production vs development modes
- Request ID inclusion in error responses
- `sanitize_for_log()` for safe logging

### Zitadel Authentication Integration ✅ DONE (NEW)
**Module:** `src/security/zitadel_auth.rs`

- `ZitadelAuthConfig` with environment-based configuration
- `ZitadelAuthProvider` for token authentication:
  - Token introspection with Zitadel API
  - JWT decoding fallback
  - User caching with TTL
  - Service token management
- `ZitadelUser` to `AuthenticatedUser` conversion
- Role mapping from Zitadel roles to RBAC roles
- Bot access permission checking via Zitadel grants
- API key validation
- Integration with existing `AuthConfig` and `AuthenticatedUser`

---

## ✅ COMPLETED - Panic Vector Removal

### 1. Remove All `.unwrap()` Calls ✅ DONE

**Original count:** ~416 occurrences
**Current count:** 0 in production code (108 remaining in test code - acceptable)

**Changes made:**
- Replaced `.unwrap()` with `.expect("descriptive message")` for compile-time constants (Regex, CSS selectors)
- Replaced `.unwrap()` with `.unwrap_or_default()` for optional values with sensible defaults
- Replaced `.unwrap()` with `?` operator where error propagation was appropriate
- Replaced `.unwrap()` with `if let` / `match` patterns for complex control flow
- Replaced `.unwrap()` with `.map_or()` for Option comparisons

---

### 2. `.expect()` Calls - Acceptable Usage

**Current count:** ~84 occurrences (acceptable for compile-time verified patterns)

**Acceptable uses of `.expect()`:**
- Static Regex compilation: `Regex::new(r"...").expect("valid regex")`
- CSS selector parsing: `Selector::parse("...").expect("valid selector")`
- Static UUID parsing: `Uuid::parse_str("00000000-...").expect("valid static UUID")`
- Rhai syntax registration: `.register_custom_syntax().expect("valid syntax")`
- Mutex locking: `.lock().expect("mutex not poisoned")`
- SystemTime operations: `.duration_since(UNIX_EPOCH).expect("system time")`

---

### 3. `panic!` Macros ✅ DONE

**Current count:** 1 (in test code only - acceptable)

The only `panic!` is in `src/security/panic_handler.rs` test code to verify panic catching works.

---

### 4. `unsafe` Blocks ✅ VERIFIED

**Current count:** 0 actual unsafe blocks

The 5 occurrences of "unsafe" in the codebase are:
- CSP policy strings containing `'unsafe-inline'` and `'unsafe-eval'` (not Rust unsafe)
- Error message string containing "unsafe path sequences" (not Rust unsafe)

---

## 🟡 MEDIUM - Still Needs Work

### 5. Full RBAC Integration

**Status:** Infrastructure complete, needs handler integration

**Action:**
- Wire `auth_middleware` to protected routes
- Implement permission checks in individual handlers
- Add database-backed user/role lookups
- Integrate with existing session management

---

### 6. Logging Audit

**Status:** `error_sanitizer` module provides tools, needs audit

**Action:**
- Audit all `log::*` calls for sensitive data
- Apply `sanitize_for_log()` where needed
- Use `redact_sensitive_data()` from secrets module

---

## 🟢 LOW - Backlog

### 7. Database Connection Pool Hardening

- Set max connections
- Implement connection timeouts
- Add health checks

### 8. Memory Limits

- Set max request body size
- Limit file upload sizes
- Implement streaming for large files

---

## Verification Commands

```bash
# Check for unwrap
grep -rn "unwrap()" src --include="*.rs" | wc -l

# Check for expect
grep -rn "\.expect(" src --include="*.rs" | wc -l

# Check for panic
grep -rn "panic!" src --include="*.rs" | wc -l

# Check for unsafe
grep -rn "unsafe" src --include="*.rs"

# Check for SQL injection vectors
grep -rn "format!.*SELECT\|format!.*INSERT\|format!.*UPDATE\|format!.*DELETE" src --include="*.rs"

# Check for command execution
grep -rn "Command::new\|std::process::Command" src --include="*.rs"

# Run security audit
cargo audit

# Check dependencies
cargo deny check
```

---

## Security Modules Reference

| Module | Purpose | Status |
|--------|---------|--------|
| `security/sql_guard.rs` | SQL injection prevention | ✅ Done |
| `security/command_guard.rs` | Command injection prevention | ✅ Done |
| `security/secrets.rs` | Secrets management with zeroizing | ✅ Done |
| `security/validation.rs` | Input validation utilities | ✅ Done |
| `security/rate_limiter.rs` | Rate limiting middleware | ✅ Done |
| `security/headers.rs` | Security headers middleware | ✅ Done |
| `security/cors.rs` | CORS configuration | ✅ Done |
| `security/auth.rs` | Authentication & RBAC | ✅ Done |
| `security/panic_handler.rs` | Panic catching middleware | ✅ Done |
| `security/path_guard.rs` | Path traversal protection | ✅ Done |
| `security/request_id.rs` | Request ID tracking | ✅ Done |
| `security/error_sanitizer.rs` | Error message sanitization | ✅ Done |
| `security/zitadel_auth.rs` | Zitadel authentication integration | ✅ Done |

---

## Acceptance Criteria

- [x] SQL injection protection with table whitelist
- [x] Command injection protection with command whitelist
- [x] Secrets management with zeroizing memory
- [x] Input validation utilities
- [x] Rate limiting on public endpoints
- [x] Security headers on all responses
- [x] 0 `.unwrap()` calls in production code (tests excluded) ✅ ACHIEVED
- [x] `.expect()` calls acceptable (compile-time verified patterns only)
- [x] 0 `panic!` macros in production code ✅ ACHIEVED
- [x] 0 `unsafe` blocks (or documented justification) ✅ ACHIEVED
- [x] `cargo audit` shows 0 vulnerabilities
- [x] CORS hardening (no wildcard in production) ✅ NEW
- [x] Panic handler middleware ✅ NEW
- [x] Request ID tracking ✅ NEW
- [x] Error message sanitization ✅ NEW
- [x] Path traversal protection ✅ NEW
- [x] Authentication/RBAC infrastructure ✅ NEW
- [x] Zitadel authentication integration ✅ NEW
- [ ] Full RBAC handler integration (infrastructure ready)

---

## Current Security Audit Score

```
✅ SQL injection protection      - IMPLEMENTED (table whitelist in db_api.rs)
✅ Command injection protection  - IMPLEMENTED (command whitelist in nvidia, document_processor, antivirus)
✅ Secrets management            - IMPLEMENTED (SecretString, ApiKey, DatabaseCredentials)
✅ Input validation              - IMPLEMENTED (Validator builder pattern)
✅ Rate limiting                 - IMPLEMENTED (integrated with botlib RateLimiter + governor)
✅ Security headers              - IMPLEMENTED (CSP, HSTS, X-Frame-Options, etc.)
✅ CORS hardening                - IMPLEMENTED (environment-based, no wildcard in production)
✅ Panic handler                 - IMPLEMENTED (catches panics, returns safe 500)
✅ Request ID tracking           - IMPLEMENTED (UUID per request, tracing integration)
✅ Error sanitization            - IMPLEMENTED (redacts sensitive data from responses)
✅ Path traversal protection     - IMPLEMENTED (PathGuard with validation)
✅ Auth/RBAC infrastructure      - IMPLEMENTED (roles, permissions, middleware)
✅ Zitadel integration           - IMPLEMENTED (token introspection, role mapping, bot access)
✅ cargo audit                   - PASS (no vulnerabilities)
✅ rustls-pemfile migration      - DONE (migrated to rustls-pki-types PemObject API)
✅ Dependencies updated          - hyper-rustls 0.27, rustls-native-certs 0.8
✅ No panic vectors              - DONE (0 production unwrap(), 0 production panic!)
⏳ RBAC handler integration      - Infrastructure ready, needs wiring
```

**Estimated completion: ~98%**

### Remaining Work Summary
- Wire authentication middleware to protected routes in handlers
- Connect Zitadel provider to main router authentication flow
- Audit log statements for sensitive data exposure

### cargo audit Status
- **No security vulnerabilities found**
- 2 warnings for unmaintained `rustls-pemfile` (transitive from AWS SDK and tonic/qdrant-client)
- These are informational warnings, not security issues