gb/security_audit.sh

#!/bin/bash

# General Bots Security Audit Script
# This script helps identify critical security issues in the codebase

set -e

echo "🔒 General Bots Security Audit"
echo "=============================="
echo ""

# Check for hardcoded secrets
echo "1. Checking for hardcoded secrets..."
if grep -r "password\s*=\s*\"" --include="*.rs" --include="*.toml" --include="*.json" . 2>/dev/null | grep -v "test" | grep -v "example" | head -10; then
    echo "⚠️  WARNING: Found potential hardcoded passwords"
else
    echo "✅ No obvious hardcoded passwords found"
fi

echo ""

# Check for unwrap/expect calls
echo "2. Checking for unwrap/expect calls..."
UNWRAP_COUNT=$(grep -r "\.unwrap()\|\.expect(" --include="*.rs" . 2>/dev/null | wc -l)
if [ "$UNWRAP_COUNT" -gt 0 ]; then
    echo "⚠️  WARNING: Found $UNWRAP_COUNT unwrap/expect calls"
    echo "   Sample locations:"
    grep -r "\.unwrap()\|\.expect(" --include="*.rs" . 2>/dev/null | head -5
else
    echo "✅ No unwrap/expect calls found"
fi

echo ""

# Check for Command::new usage
echo "3. Checking for unsafe command execution..."
if grep -r "Command::new" --include="*.rs" . 2>/dev/null | grep -v "SafeCommand" | head -5; then
    echo "⚠️  WARNING: Found potential unsafe command execution"
    echo "   Should use SafeCommand instead"
else
    echo "✅ No unsafe Command::new calls found"
fi

echo ""

# Check for SQL injection patterns
echo "4. Checking for SQL injection patterns..."
if grep -r "format!.*SELECT\|format!.*INSERT\|format!.*UPDATE\|format!.*DELETE" --include="*.rs" . 2>/dev/null | grep -v "sanitize" | head -5; then
    echo "⚠️  WARNING: Found potential SQL injection patterns"
    echo "   Should use sql_guard functions"
else
    echo "✅ No obvious SQL injection patterns found"
fi

echo ""

# Check security headers in routes
echo "5. Checking for security middleware usage..."
if grep -r "security_headers_middleware\|csrf_middleware\|rate_limit_middleware" --include="*.rs" . 2>/dev/null | head -5; then
    echo "✅ Security middleware found"
else
    echo "⚠️  WARNING: No security middleware found in routes"
fi

echo ""

# Check for SecurityManager usage
echo "6. Checking for SecurityManager initialization..."
if grep -r "SecurityManager::new\|SecurityManager::initialize" --include="*.rs" . 2>/dev/null; then
    echo "✅ SecurityManager usage found"
else
    echo "⚠️  WARNING: SecurityManager not initialized"
fi

echo ""

# Check dependencies
echo "7. Checking dependencies..."
if command -v cargo-audit &> /dev/null; then
    echo "Running cargo audit..."
    cargo audit
else
    echo "⚠️  Install cargo-audit: cargo install cargo-audit"
fi

echo ""

# Check for .env files in git
echo "8. Checking for secrets in git..."
if find . -name ".env" -type f | grep -v node_modules | grep -v target; then
    echo "⚠️  WARNING: .env files found in repository"
    echo "   Secrets should be in /tmp/ only"
else
    echo "✅ No .env files in repository"
fi

echo ""

# Check file permissions
echo "9. Checking critical file permissions..."
if [ -f "botserver-stack/conf/vault/init.json" ]; then
    PERMS=$(stat -c "%a" "botserver-stack/conf/vault/init.json")
    if [ "$PERMS" -gt 600 ]; then
        echo "⚠️  WARNING: Vault init file permissions too open: $PERMS"
        echo "   Should be 600 or 400"
    else
        echo "✅ Vault init file permissions OK: $PERMS"
    fi
fi

echo ""

# Summary
echo "📊 Security Audit Summary"
echo "========================"
echo ""
echo "Critical Issues to Address:"
echo "1. $UNWRAP_COUNT unwrap/expect calls need replacement"
echo "2. SecurityManager initialization missing"
echo "3. Security middleware may not be applied to all routes"
echo ""
echo "Next Steps:"
echo "1. Review TASKS.md for detailed remediation plan"
echo "2. Fix P1 issues first (SecurityManager, error handling)"
echo "3. Run cargo clippy and fix all warnings"
echo "4. Implement security testing"
echo ""
echo "For detailed tasks, see: TASKS.md"
echo "For quick checklist, see: SECURITY_CHECKLIST.md"