# Security Remediation Changelog

Comprehensive security audit and remediation performed March 2026 against the certctl V2 codebase. This document tracks every change, the vulnerability addressed, CWE classification, and before/after behavior.

## Summary

- **Tickets remediated:** 17 of 20
- **Tickets deferred:** 3 (TICKET-003, TICKET-007, TICKET-010)
- **New tests added:** 100+
- **CWE classes addressed:** 11 distinct CWE categories

## Remediated Tickets

### TICKET-001: Shell Command Injection in Connector Scripts (CRITICAL)

- **CWE:** CWE-78 (OS Command Injection)
- **Severity:** CRITICAL
- **Files created:** `internal/validation/command.go`, `internal/validation/command_test.go`
- **What changed:** New `ValidateShellCommand()` function blocks all shell metacharacters (`;|&$\`(){}><"'\n\r\x00`). `ValidateDomainName()` enforces RFC 1123 compliance. `ValidateACMEToken()` restricts to base64url characters. `SanitizeForShell()` provides defense-in-depth single-quote wrapping.
- **Before:** OpenSSL and ACME connectors passed user-controlled strings directly to shell commands.
- **After:** All shell-facing inputs validated against strict character whitelists; 80+ adversarial test cases.

### TICKET-002: Scheduler Race Conditions and Ungraceful Shutdown (CRITICAL)

- **CWE:** CWE-362 (Race Condition), CWE-404 (Improper Resource Shutdown)
- **Severity:** CRITICAL
- **Files modified:** `internal/scheduler/scheduler.go`, `cmd/server/main.go`
- **Files created:** `internal/scheduler/scheduler_test.go`
- **What changed:** Added `sync/atomic.Bool` idempotency guards on all 6 scheduler loops — if a loop tick fires while the previous iteration is still running, it logs a warning and skips. Added `sync.WaitGroup` for in-flight work tracking. New `WaitForCompletion(timeout)` method blocks until all goroutines finish or timeout expires. Server main wires `sched.WaitForCompletion(30*time.Second)` before database close.
- **Before:** Concurrent scheduler ticks could produce duplicate jobs; `os.Exit` during in-flight work could corrupt state.
- **After:** Each loop runs at most one concurrent iteration; graceful shutdown waits up to 30s for in-flight work.

### TICKET-004: CORS Misconfiguration — Wildcard Allowed by Default (HIGH)

- **CWE:** CWE-942 (Overly Permissive CORS Policy)
- **Severity:** HIGH
- **Files modified:** `internal/api/middleware/middleware.go`
- **Files created:** `internal/api/middleware/cors_test.go`
- **What changed:** Empty `CERTCTL_CORS_ORIGINS` now denies all cross-origin requests (no CORS headers set). Previously, an empty config implicitly allowed all origins.
- **Before:** Deploying without setting `CERTCTL_CORS_ORIGINS` left the API open to cross-origin requests from any domain.
- **After:** Deny-by-default. Operators must explicitly configure allowed origins. 9 test cases cover deny-default, specific origins, wildcard, and preflight behavior.

### TICKET-005: No Race Detection in CI (HIGH)

- **CWE:** CWE-362 (Race Condition)
- **Severity:** HIGH
- **Files modified:** `.github/workflows/ci.yml`
- **What changed:** Added `go test -race` step targeting service, handler, middleware, and scheduler packages with `-count=1 -timeout 300s`.
- **Before:** Data races could ship undetected.
- **After:** Every CI run catches races with Go's built-in race detector.

### TICKET-006: 18-Positional-Parameter Function Signature (MEDIUM)

- **CWE:** CWE-1078 (Inappropriate Source Code Style)
- **Severity:** MEDIUM
- **Files modified:** `internal/api/router/router.go`, `cmd/server/main.go`, `internal/integration/lifecycle_test.go`, `internal/integration/negative_test.go`
- **What changed:** Replaced `RegisterHandlers(18 positional params)` with `HandlerRegistry` struct containing 18 named fields. All call sites updated to use struct literal initialization.
- **Before:** Adding or reordering a handler required updating every call site; parameter order bugs were easy to introduce.
- **After:** Named fields make call sites self-documenting; new handlers added without breaking existing code.

### TICKET-008: No Static Analysis in CI (MEDIUM)

- **CWE:** CWE-1078 (Inappropriate Source Code Style)
- **Severity:** MEDIUM
- **Files modified:** `.github/workflows/ci.yml`
- **Files created:** `.golangci.yml`
- **What changed:** Added `golangci-lint` (11 linters: errcheck, govet, staticcheck, unused, gosimple, ineffassign, typecheck, gocritic, gosec, bodyclose, noctx) and `govulncheck` steps to CI pipeline.
- **Before:** Code quality and known CVEs checked only manually.
- **After:** Every push and PR runs static analysis and vulnerability scanning.

### TICKET-009: Missing HTTP Client Timeouts in Notifier Connectors (HIGH)

- **CWE:** CWE-400 (Uncontrolled Resource Consumption)
- **Severity:** HIGH
- **Files modified:** Slack, Teams, PagerDuty, OpsGenie connector files
- **What changed:** All notifier HTTP clients now use explicit `Timeout: 10 * time.Second` instead of `http.DefaultClient` (no timeout).
- **Before:** A hung webhook endpoint could block a notifier goroutine indefinitely.
- **After:** All outbound HTTP calls timeout after 10 seconds.

### TICKET-012: Context Propagation — `context.Background()` Misuse (MEDIUM)

- **CWE:** CWE-755 (Improper Handling of Exceptional Conditions)
- **Severity:** MEDIUM
- **Files modified:** Multiple service files
- **What changed:** Replaced `context.Background()` usage in request-handling code with proper `ctx` propagation from the incoming HTTP request.
- **Before:** Cancellation signals (client disconnect, shutdown) were not propagated to downstream operations.
- **After:** Request context flows through service calls, enabling proper cancellation and timeout propagation.

### TICKET-013: SSRF in Network Scanner — No Reserved IP Filtering (HIGH)

- **CWE:** CWE-918 (Server-Side Request Forgery)
- **Severity:** HIGH
- **Files modified:** `internal/service/network_scan.go`
- **What changed:** Added `isReservedIP()` function that filters loopback (127.0.0.0/8), link-local (169.254.0.0/16 — includes cloud metadata at 169.254.169.254), multicast (224.0.0.0/4), and broadcast (255.255.255.255) addresses. RFC 1918 private ranges explicitly allowed since certctl is self-hosted for internal networks.
- **Before:** Network scanner could probe cloud metadata endpoints (169.254.169.254) or loopback services.
- **After:** Reserved ranges filtered before CIDR expansion; private ranges preserved for legitimate internal scanning.

### TICKET-014: Agent Verify Tests Generate Invalid Certificates (MEDIUM)

- **CWE:** CWE-1060 (Excessive Runtime Resource Consumption)
- **Severity:** MEDIUM
- **Files modified:** `cmd/agent/verify_test.go`
- **What changed:** `generateTestCert()` now creates valid self-signed ECDSA P-256 certificates with proper serial numbers, validity periods, and key usage.
- **Before:** Tests used invalid certificate stubs that could mask real parsing bugs.
- **After:** Tests exercise real X.509 certificate parsing paths.

### TICKET-015: Flaky Async Audit Tests Using `time.Sleep` (MEDIUM)

- **CWE:** CWE-362 (Race Condition in Tests)
- **Severity:** MEDIUM
- **Files modified:** `internal/api/middleware/audit_test.go`
- **What changed:** Replaced `time.Sleep(50ms)` with `waitableAuditRecorder` that uses channel-based synchronization. Tests block on a channel until the async audit goroutine completes.
- **Before:** Tests depended on wall-clock timing; could flake under load.
- **After:** Deterministic synchronization; no timing dependency.

### TICKET-016: Undocumented `InsecureSkipVerify: true` Usage (LOW)

- **CWE:** CWE-295 (Improper Certificate Validation)
- **Severity:** LOW
- **Files modified:** `cmd/agent/verify.go`, `internal/service/network_scan.go`
- **What changed:** Added detailed security comments explaining why `InsecureSkipVerify: true` is intentional and scoped: it's required for discovery/verification probing of all certificates (including self-signed, expired, internal CA) and is never used for control-plane API calls or issuer communication.
- **Before:** `InsecureSkipVerify` appeared without explanation, creating audit findings.
- **After:** Each usage site documents the security rationale with ticket references.

### TICKET-017: Coverage Thresholds Too Low (MEDIUM)

- **CWE:** CWE-1078 (Inappropriate Source Code Style)
- **Severity:** MEDIUM
- **Files modified:** `.github/workflows/ci.yml`
- **What changed:** Raised CI coverage thresholds: service 30% → 60%, handler 50% → 60%. Added new layers: domain 40%, middleware 50%.
- **Before:** Tests could degrade significantly before CI flagged it.
- **After:** Per-layer coverage floors prevent regression in any single layer.

### TICKET-018: No Fuzz Testing (LOW)

- **CWE:** CWE-20 (Improper Input Validation)
- **Severity:** LOW
- **Files created:** `internal/validation/command_fuzz_test.go`, `internal/domain/revocation_fuzz_test.go`
- **What changed:** Added Go native fuzz tests (`testing/fuzz`) for command validation functions and revocation domain parsing. Fuzz targets exercise `ValidateShellCommand`, `ValidateDomainName`, `ValidateACMEToken` with random inputs.
- **Before:** Input validation tested only with known adversarial inputs.
- **After:** Continuous fuzzing can discover edge cases human testers miss.

### TICKET-019: Inconsistent Error Wrapping (LOW)

- **CWE:** CWE-755 (Improper Handling of Exceptional Conditions)
- **Severity:** LOW
- **Files modified:** Multiple service and handler files
- **What changed:** Standardized on `fmt.Errorf("context: %w", err)` wrapping pattern throughout the codebase. Ensures `errors.Is()` and `errors.As()` work correctly across error chains.
- **Before:** Mix of `%v` (loses error chain) and `%w` (preserves chain) formatting.
- **After:** Consistent `%w` wrapping enables proper error type checking.

### TICKET-020: Missing Godoc on Config Structs (LOW)

- **CWE:** CWE-1078 (Inappropriate Source Code Style)
- **Severity:** LOW
- **Files modified:** `internal/config/config.go`
- **What changed:** Added godoc comments to all fields in all config structs (ServerConfig, KeygenConfig, CAConfig, ACMEConfig, StepCAConfig, OpenSSLConfig, NotifierConfig, ESTConfig, VerificationConfig, DiscoveryConfig, NetworkScanConfig).
- **Before:** Configuration semantics discoverable only by reading code or CLAUDE.md.
- **After:** `go doc` and IDE tooltips show purpose, default values, and env var names.

## Deferred Tickets

### TICKET-003: No Repository Layer Test Scaffolding (HIGH)

- **CWE:** CWE-1060 (Excessive Runtime Resource Consumption)
- **Rationale:** Requires `testcontainers-go` infrastructure (Docker-in-Docker) for real PostgreSQL instances. Estimated 2-3 day effort. Scheduled for next sprint.

### TICKET-007: CertificateService God Object (MEDIUM)

- **CWE:** CWE-1060 (Excessive Runtime Resource Consumption)
- **Rationale:** 700+ line service file mixing CRUD, revocation, CRL/OCSP, and deployment logic. Decomposition into RevocationService, CRLService, OCSPService, and DeploymentService is a multi-day refactor with high regression risk. Scheduled for dedicated refactor sprint.

### TICKET-010: Missing Request Body Size Limits (MEDIUM)

- **CWE:** CWE-400 (Uncontrolled Resource Consumption)
- **Rationale:** Requires `http.MaxBytesReader` integration across all handlers. Lower risk in practice since API key auth limits exposure to authenticated clients. Scheduled for next sprint.

## CI Pipeline Changes

The CI pipeline now enforces:

1. **`go vet`** — basic static analysis
2. **`go test -race`** — race detection on service, handler, middleware, scheduler packages
3. **`golangci-lint`** — 11 linters (errcheck, govet, staticcheck, unused, gosimple, ineffassign, typecheck, gocritic, gosec, bodyclose, noctx)
4. **`govulncheck`** — known CVE scanning against Go dependencies
5. **Coverage thresholds** — service 60%, handler 60%, domain 40%, middleware 50%
6. **Frontend** — TypeScript type check, Vitest tests, Vite production build

## Configuration Changes

### Breaking Change: CORS Deny-by-Default

**Before:** Empty `CERTCTL_CORS_ORIGINS` implicitly allowed all cross-origin requests.
**After:** Empty `CERTCTL_CORS_ORIGINS` denies all cross-origin requests. Set `CERTCTL_CORS_ORIGINS=http://localhost:3000` for development or `CERTCTL_CORS_ORIGINS=*` to restore previous behavior.

This affects any deployment that relied on the implicit wildcard CORS behavior without explicitly setting the env var.