certctl

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-10 22:28:52 +00:00

Author	SHA1	Message	Date
shankar0123	b9478d064c	security(email): sanitize body fields against content injection (CodeQL #11 , CWE-640) CodeQL alert #11 (go/email-injection, CWE-640 / OWASP Content Spoofing) flagged the wc.Write(message) sink at internal/connector/notifier/email/ email.go:208 because attacker-controllable fields flow into the email body unchecked. Threat model: Headers (From, To, Subject) were already protected by validation.ValidateHeaderValue (CWE-113 SMTP header injection, closed in commit `9e957c3`). The remaining gap was the body. An attacker controls multiple fields that surface to the body of alert/event notifications: - alert.Subject, alert.Message - event.Subject, event.Body, event.CertificateID - alert.Metadata + event.Metadata key/value pairs These can carry CR/LF (forged 'Reply-To: attacker@evil.com' inside the body that recipients skim), NUL bytes (RFC 5321 4.5.2 violation that some MTAs truncate at), bidi-override Unicode (visually- spoofable URLs), zero-width / invisible Unicode (phishing), or malformed UTF-8 (Go emits U+FFFD which becomes a glyph in mail clients). The HTML email path (digest service) already uses html/template upstream and is safe via contextual auto-escape. This commit closes the plaintext path. Fix: internal/validation/headers.go gains SanitizeEmailBodyValue — a sanitizer that NEVER errors (the right contract for body content; over-eager rejection drops operator notifications) and scrubs: - NUL bytes (stripped entirely) - bare CR / LF (replaced with space — single fields should never carry their own line breaks; the surrounding template handles legitimate CRLFs) - C0 control chars < 0x20 except TAB - DEL (0x7F) + C1 control chars (0x80-0x9F) - U+FFFD (defense in depth: malformed UTF-8 -> Go emits this; strip so attacker-planted invalid bytes don't survive as an arbitrary glyph) - Bidi-override Unicode (U+202A..U+202E, U+2066..U+2069) - Zero-width / invisible Unicode (U+200B..U+200D, U+2060..U+2063, U+FEFF, U+180E) - Catch-all unicode.IsControl for anything not enumerated above Codepoint table uses numeric ranges rather than rune-literal switch cases — Go source rejects literal invisible characters (BOM U+FEFF) mid-file, so the table compares against numeric values. internal/connector/notifier/email/email.go applies the sanitizer at every interpolation site: - formatAlertBody: alert.ID/Type/Severity/Subject/Message (CreatedAt is time.Time -> RFC3339, structural, not sanitized) - formatEventBody: event.ID/Type/Subject/Body, CertificateID (CreatedAt structural, not sanitized) - formatMetadata: both keys and values The sendEmail / formatEmailMessage call sites continue to validate headers (From / To / Subject) via the existing ValidateHeaderValue fail-closed gate; the new sanitizer is body-side only. Tests (internal/validation/headers_test.go): TestSanitizeEmailBodyValue_PreservesSafeInput Pin: ordinary ASCII, UTF-8 multibyte (résumé / 日本語 / مرحبا), tabs, common cert DNs, URLs all flow through unchanged. TestSanitizeEmailBodyValue_StripsControlChars Table-driven across NUL, bare LF/CR, CRLF, BEL, backspace, DEL, C1 (U+0080 / U+009F), U+FFFD, TAB-preserve. TestSanitizeEmailBodyValue_StripsBidiOverride 7 attacker payloads (RLO, LRO, LRI, zero-width space, ZWNJ, BOM, MVS) — each must produce a non-identity output. TestSanitizeEmailBodyValue_ContentSpoofingScenario The CodeQL example case: 'alert\r\nReply-To: attacker@evil.com\r\n Click https://evil.example.com/reset' — verify NO CR/LF survives. Verified locally: gofmt: clean. go vet ./...: exit 0. go test -short -count=1 ./internal/validation/...: ok 0.374s go test -short -count=1 ./internal/connector/notifier/email/...: ok 0.186s Reference: https://github.com/certctl-io/certctl/security/code-scanning/11 Closes CodeQL alert #11 (go/email-injection).	2026-05-04 04:56:13 +00:00
shankar0123	5dc698307b	chore: rename Go module path to github.com/certctl-io/certctl Mechanical sed across the main go.mod's module declaration, the f5-mock-icontrol sub-module's go.mod, every Go file's import path (361 files), and a rebuild of the checked-in f5-mock-icontrol binary so its embedded build-info reflects the new module path. No behavior change. Choice B from cowork/transfer-certctl-to-org.md, executed 2026-05-04. Choice A (keep module path declared as github.com/shankar0123/certctl regardless of repo URL) shipped on the day of the org transfer (2026-05-03) since we had no external Go consumers; this commit closes that deferral. Backward-compat: GitHub HTTP redirects continue to forward github.com/shankar0123/certctl → github.com/certctl-io/certctl at the URL level, but Go's module proxy uses the path declared in go.mod as the canonical name. Pre-fix, anyone trying `go get github.com/certctl-io/certctl/...` hit a "module path mismatch" error because go.mod said github.com/shankar0123/certctl and the URL they fetched it from said certctl-io/certctl. Post-fix, the canonical name and the URL agree, so go get / go install / external Go consumers / Go-tooling integrations work cleanly via either the new path (preferred) or the old path (which redirects and Go follows the redirect for source fetch). Anyone still importing the old path inside their own code keeps working provided they update their go.mod's `require` line to match — the module path declared in their consumer's go.sum / go.mod is the authoritative import name, so a mass sed across their import statements is the migration on the consumer side. No external consumers exist today. Diff shape: 361 *.go files — import path replacement only 2 go.mod — module declaration replacement only 1 binary — deploy/test/f5-mock-icontrol/f5-mock-icontrol rebuilt so embedded build-info reflects the new path (8618965 vs 8618933 bytes; 32-byte diff is the build-info change) Total: 364 files, 730 insertions / 730 deletions, net-zero size, pure mechanical substitution. Verification: gofmt: 17 files needed re-alignment after sed (the new path is one char shorter than the old, so column-aligned import groups drifted). Applied `gofmt -w` to fix. go mod tidy: clean exit on both modules. go vet ./...: clean exit. go build ./...: clean exit. go test -short -count=1 on representative packages: all green (internal/domain, internal/validation, internal/crypto, internal/crypto/signer, cmd/agent). Test output now reads `ok github.com/certctl-io/certctl/...` confirming the module path resolves correctly. binary: f5-mock-icontrol rebuilt; `strings \| grep shankar0123` returns nothing; `strings \| grep certctl-io/certctl` shows the new module path embedded in build-info. Files intentionally NOT touched in this commit: README.md / CHANGELOG.md / docs/ / etc. — already swept to certctl-io URLs in commit `bc6039a` (the post-transfer URL refresh). This commit is purely the Go-tooling layer. Scarf pixels (`shankar0123.docker.scarf.sh/...`) — Scarf-account namespace, not a Go import or GitHub repo URL. Stays. This is a non-blocking, non-customer-impacting change. Operators pulling container images, running `make verify`, hitting the API, or installing the agent see no functional difference. Only Go-tooling consumers (none today) are affected, and they're enabled — not broken — by this commit.	2026-05-04 00:30:29 +00:00
Shankar	9e957c3447	security: reject CRLF/NUL in email headers to prevent SMTP injection (fixes H-3) H-3 in certctl-audit-report.md: caller-supplied From/To/Subject were interpolated directly into the SMTP DATA payload and handed to client.Mail / client.Rcpt with no sanitization, allowing an attacker who controls any of those values to inject extra headers (Bcc:, Reply-To:), split the message body (CRLFCRLF), or tamper with the SMTP envelope. CWE-113. Fix: - New package helper internal/validation.ValidateHeaderValue(field, value). Rejects CR ("\r"), LF ("\n"), and NUL ("\x00") with an error that names the offending field but does NOT echo the raw value, so log readers cannot be attacked with injected content. Silent stripping was considered and rejected: authentication-relevant headers must fail visibly. - Two-layer defense in internal/connector/notifier/email/email.go: (1) primary guard at the top of sendEmail / sendHTMLEmail, which blocks tampering of the SMTP envelope (client.Mail, client.Rcpt) since net/smtp does not sanitize those arguments; and (2) defense-in-depth guard inside formatEmailMessage / formatHTMLEmailMessage, catching any future caller that bypasses sendEmail. Both format functions now return an error. - Body content is intentionally NOT validated — CR/LF in body is legal RFC 5322 content and net/smtp handles dot-stuffing. Tests: - internal/validation/headers_test.go: 3 functions (AcceptsSafeInput, RejectsControlCharacters, DefaultFieldName) covering plain ASCII, UTF-8 multibyte, tabs, typical email addresses, CRLF injection, lone CR, lone LF, NUL, CRLFCRLF body split, trailing CR, leading LF. Each reject case asserts the field name IS in the error and the raw offending value IS NOT (anti-log-injection). - internal/connector/notifier/email/email_test.go: added TestEmail_FormatEmailMessage_RejectsCRLFInjection and TestEmail_FormatHTMLEmailMessage_RejectsCRLFInjection. Existing format tests updated for the new (bytes, error) signature. Wire-format invariants preserved: - SMTP DATA headers still use CRLF separators and RFC 1123Z Date (unchanged). - Content-Type headers unchanged (text/plain for plain, text/html + MIME-Version: 1.0 for HTML). - No change to message encoding or transport. Verification (Go 1.25.9 linux-arm64, parent `0750c5f`): - go build ./... clean - go vet ./... clean - go test -race ./internal/validation/... ok - go test -race ./internal/connector/notifier/email/... ok - go test -race ./internal/connector/notifier/webhook/... ok - Per-layer coverage gates all pass: validation 95.1% (+0.7 vs baseline 94.4%) email 39.7% (+1.4 vs baseline 38.3%) service 67.8% (unchanged) handler 78.6% (unchanged) middleware 80.0% (unchanged) domain 92.7% (unchanged) - govulncheck ./... No vulnerabilities found - golangci-lint run ./internal/validation/... ./internal/connector/notifier/email/... 0 issues Operational note: SMTP sends that would previously deliver a tampered message now fail fast at the notifier with a clear error. Operators who were relying on header-injection-shaped inputs (there should be none in practice — all callers are internal certctl code) will see "failed to format message: <field> contains disallowed control character" in logs. Scope: H-3 only. H-4 (webhook SSRF) follows in a separate commit.	2026-04-17 00:08:20 +00:00
Shankar	3f1f94f56b	feat(m28+m29+m30): ACME ARI, email digest, and Helm chart M28: ACME Renewal Information (RFC 9702) — CA-directed renewal timing with cert ID computation, directory endpoint discovery, graceful degradation for non-ARI CAs. 19 tests. M29: Email notifier wiring + scheduled certificate digest — SMTP connector bridged to service layer via NotifierAdapter, DigestService with HTML email template, 7th scheduler loop (24h), digest preview/send API endpoints and GUI card. 21 tests. M30: Production-ready Helm chart — server Deployment, PostgreSQL StatefulSet, agent DaemonSet, ConfigMaps, Secrets, Ingress, security contexts, health probes, example values for dev/prod/ACME scenarios. Also: OpenAPI spec updates, MCP tool additions, CI helm-lint job, documentation updates across 5 doc files and README. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-28 21:18:35 -04:00
Shankar	e2160c15d0	Fix go vet IPv6 address format errors in email notifier and server Replace fmt.Sprintf("%s:%d") with net.JoinHostPort() for IPv6 compatibility. Bump setup-go action to v5 to resolve Node.js 20 deprecation warnings. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-15 11:59:31 -04:00
shankar0123	d395776a95	Initial scaffold: certificate control plane v0.1.0	2026-03-14 08:22:17 -04:00

6 Commits