security: comprehensive hardening (4 critical, 7 high, 4 medium fixes)

bradleygauthier · bradleygauthier · commit ac9deecfe81c · 2026-04-04T17:50:01.000-05:00
Critical fixes:
- C1: API key authentication (CONDUIT_API_KEY env var, hmac.compare_digest)
- C2: Pydantic models for all mutation endpoints (ServiceRegister, DnsResolve)
- C3: Path traversal guard on SPA fallback (resolve + startswith check)
- C4: Remove Docker socket mount from docker-compose.yml

High fixes:
- H1: CORS middleware restricting to localhost origins
- H2: Remove --reload from production Dockerfile CMD
- H3: Non-root user (conduit) in Dockerfile
- H4: Parse .env files line-by-line instead of bash source (only CONDUIT_ vars)
- H5: SSH host validation regex + replace bash -c with direct execution
- H6: Caddy admin URL restricted to localhost regex allowlist
- H7: Replace RSA 2048 with Ed25519 in tls.sh cert generation

Medium fixes:
- M1: _validate_service_name on all path parameters
- M6: Remove PyPI auto-install from audit.sh (supply chain risk)
- M7: Pin Python dependencies to exact versions
- M9: Strip stderr from API responses (no internal path leakage)
diff --git a/Dockerfile b/Dockerfile
@@ -14,6 +14,8 @@ RUN apt-get update \
        curl jq openssh-client \
     && rm -rf /var/lib/apt/lists/*
 
+RUN useradd -r -s /bin/false -m conduit
+
 WORKDIR /app
 COPY requirements.txt .
 RUN pip install --no-cache-dir -r requirements.txt
@@ -24,5 +26,8 @@ COPY lib/ ./lib/
 COPY templates/ ./templates/
 COPY --from=ui /ui/dist ./ui/dist
 
+RUN chown -R conduit:conduit /app
+
+USER conduit
 EXPOSE 9999
-CMD ["uvicorn", "server:app", "--host", "0.0.0.0", "--port", "9999", "--reload", "--reload-dir", "/app"]
+CMD ["uvicorn", "server:app", "--host", "0.0.0.0", "--port", "9999"]
diff --git a/conduit-monitor.sh b/conduit-monitor.sh
@@ -52,14 +52,22 @@ for arg in "$@"; do
     esac
 done
 
+# Validate SSH host if provided (prevent command injection)
+if [[ -n "$SSH_HOST" ]]; then
+    if ! [[ "$SSH_HOST" =~ ^[a-zA-Z0-9@._-]+$ ]]; then
+        log_error "Invalid server address: $SSH_HOST"
+        exit 1
+    fi
+fi
+
 # ---------------------------------------------------------------------------
 # Helper: run command locally or via SSH
 # ---------------------------------------------------------------------------
 _run() {
     if [[ -n "$SSH_HOST" ]]; then
         ssh -o ConnectTimeout=5 -o BatchMode=yes "$SSH_HOST" "$@" 2>/dev/null
     else
-        bash -c "$*" 2>/dev/null
+        "$@" 2>/dev/null
     fi
 }
 
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -21,13 +21,12 @@ services:
       - ./conduit-preflight.sh:/app/conduit-preflight.sh
       - ./lib:/app/lib
       - ./templates:/app/templates
-      - ${CONDUIT_CONFIG_DIR:-~/.config/qp-conduit}:/root/.config/qp-conduit
-      - /var/run/docker.sock:/var/run/docker.sock
+      - ${CONDUIT_CONFIG_DIR:-~/.config/qp-conduit}:/home/conduit/.config/qp-conduit
     environment:
       - CONDUIT_APP_NAME=${CONDUIT_APP_NAME:-qp-conduit}
-      - CONDUIT_CONFIG_DIR=/root/.config/qp-conduit
+      - CONDUIT_CONFIG_DIR=/home/conduit/.config/qp-conduit
       - CONDUIT_CADDY_ADMIN=${CONDUIT_CADDY_ADMIN:-host.docker.internal:2019}
-      - CONDUIT_DOCKER_SOCKET=/var/run/docker.sock
+      - CONDUIT_API_KEY=${CONDUIT_API_KEY:-}
     extra_hosts:
       - "host.docker.internal:host-gateway"
     restart: unless-stopped
diff --git a/lib/audit.sh b/lib/audit.sh
@@ -105,25 +105,10 @@ _ensure_capsule() {
         return 0
     fi
 
-    log_info "qp-capsule CLI not found. Attempting to install via pip..."
-
-    local pip_cmd=""
-    if command -v pip3 &>/dev/null; then
-        pip_cmd="pip3"
-    elif command -v pip &>/dev/null; then
-        pip_cmd="pip"
-    else
-        log_warn "pip not found. Cannot auto-install qp-capsule."
-        return 1
-    fi
-
-    if "$pip_cmd" install --quiet qp-capsule 2>/dev/null; then
-        log_success "Installed qp-capsule CLI"
-        return 0
-    else
-        log_warn "Failed to install qp-capsule via pip."
-        return 1
-    fi
+    # Do not auto-install from PyPI (supply chain risk, air-gap violation).
+    # Pre-install qp-capsule in the Docker image or on the host.
+    log_warn "qp-capsule not found. Install with: pip install qp-capsule"
+    return 1
 }
 
 # ---------------------------------------------------------------------------
diff --git a/lib/common.sh b/lib/common.sh
@@ -135,8 +135,24 @@ ensure_config_dir() {
 load_env() {
     local env_file="${CONDUIT_ENV_FILE:-$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)/.env.conduit}"
     if [[ -f "$env_file" ]]; then
-        # shellcheck disable=SC1090
-        source "$env_file"
+        local key value
+        while IFS='=' read -r key value; do
+            # Skip comments and empty lines
+            [[ "$key" =~ ^[[:space:]]*# ]] && continue
+            [[ -z "$key" ]] && continue
+            # Strip leading/trailing whitespace
+            key="${key#"${key%%[![:space:]]*}"}"
+            key="${key%"${key##*[![:space:]]}"}"
+            value="${value#"${value%%[![:space:]]*}"}"
+            value="${value%"${value##*[![:space:]]}"}"
+            # Strip surrounding quotes from value
+            value="${value#\"}"
+            value="${value%\"}"
+            # Only export known CONDUIT_ prefixed variables
+            if [[ "$key" =~ ^CONDUIT_ ]]; then
+                export "$key=$value"
+            fi
+        done < "$env_file"
     fi
 }
 
diff --git a/lib/tls.sh b/lib/tls.sh
@@ -79,7 +79,7 @@ tls_issue_cert() {
     fi
 
     # Generate private key
-    openssl genrsa -out "${cert_dir}/key.pem" 2048 2>/dev/null
+    openssl genpkey -algorithm ED25519 -out "${cert_dir}/key.pem" 2>/dev/null
     chmod 600 "${cert_dir}/key.pem"
 
     # Generate CSR
diff --git a/requirements.txt b/requirements.txt
@@ -1,3 +1,3 @@
-fastapi>=0.135
-uvicorn>=0.40
-pydantic>=2.0
+fastapi==0.115.12
+uvicorn==0.34.3
+pydantic==2.11.4
diff --git a/server.py b/server.py
@@ -6,16 +6,18 @@
 routing, monitoring, and audit operations.
 """
 
+import hmac
 import json
 import os
+import re
 import subprocess
-import time
-from datetime import datetime, timezone
 from pathlib import Path
 
-from fastapi import FastAPI, Query
-from fastapi.responses import HTMLResponse, JSONResponse
+from fastapi import Depends, FastAPI, Header, HTTPException, Query
+from fastapi.middleware.cors import CORSMiddleware
+from fastapi.responses import FileResponse, HTMLResponse, JSONResponse
 from fastapi.staticfiles import StaticFiles
+from pydantic import BaseModel, Field
 
 # ---------------------------------------------------------------------------
 # Configuration
@@ -32,7 +34,80 @@
 REGISTRY_PATH = CONFIG_DIR / "services.json"
 AUDIT_PATH = CONFIG_DIR / "audit.log"
 
-app = FastAPI(title="QP Conduit", version="0.1.0")
+# API key for authentication (required in production, optional in dev)
+API_KEY = os.environ.get("CONDUIT_API_KEY", "")
+
+# Caddy admin URL (restricted to localhost by default)
+CADDY_ADMIN_HOST = os.environ.get("CONDUIT_CADDY_ADMIN", "localhost:2019")
+_CADDY_ADMIN_ALLOWED = re.compile(r"^(localhost|127\.0\.0\.1|host\.docker\.internal)(:\d+)?$")
+
+
+# ---------------------------------------------------------------------------
+# Input validation patterns
+# ---------------------------------------------------------------------------
+
+SERVICE_NAME_RE = re.compile(r"^[a-zA-Z0-9][a-zA-Z0-9_-]{0,62}[a-zA-Z0-9]$|^[a-zA-Z0-9]$")
+HOST_RE = re.compile(r"^[a-zA-Z0-9][a-zA-Z0-9._:-]{0,253}[a-zA-Z0-9]$")
+HEALTH_PATH_RE = re.compile(r"^/[a-zA-Z0-9/_.-]{0,255}$")
+DOMAIN_RE = re.compile(r"^[a-zA-Z0-9][a-zA-Z0-9._-]{0,253}[a-zA-Z0-9]$")
+
+
+def _validate_service_name(name: str) -> str:
+    """Validate and return a service name, or raise 422."""
+    if not SERVICE_NAME_RE.match(name):
+        raise HTTPException(422, f"Invalid service name: must match [a-zA-Z0-9_-]")
+    return name
+
+
+# ---------------------------------------------------------------------------
+# Pydantic models
+# ---------------------------------------------------------------------------
+
+
+class ServiceRegister(BaseModel):
+    name: str = Field(..., min_length=1, max_length=64, pattern=r"^[a-zA-Z0-9][a-zA-Z0-9_-]*$")
+    host: str = Field(..., min_length=3, max_length=255, pattern=r"^[a-zA-Z0-9][a-zA-Z0-9._:-]*$")
+    health_path: str = Field(default="/", max_length=256, pattern=r"^/[a-zA-Z0-9/_.-]*$")
+    no_tls: bool = False
+
+
+class DnsResolve(BaseModel):
+    domain: str = Field(..., min_length=1, max_length=255, pattern=r"^[a-zA-Z0-9][a-zA-Z0-9._-]*$")
+
+
+# ---------------------------------------------------------------------------
+# Authentication
+# ---------------------------------------------------------------------------
+
+
+async def verify_api_key(x_api_key: str = Header(default="")):
+    """Verify API key if CONDUIT_API_KEY is set. Skip auth if unset (dev mode)."""
+    if not API_KEY:
+        return  # No key configured: dev mode, allow all
+    if not x_api_key or not hmac.compare_digest(x_api_key, API_KEY):
+        raise HTTPException(401, "Invalid or missing API key")
+
+
+# ---------------------------------------------------------------------------
+# App setup
+# ---------------------------------------------------------------------------
+
+app = FastAPI(
+    title="QP Conduit",
+    version="0.1.0",
+    dependencies=[Depends(verify_api_key)],
+)
+
+app.add_middleware(
+    CORSMiddleware,
+    allow_origins=[
+        "http://localhost:9999",
+        "http://localhost:5173",
+        "https://localhost:9999",
+    ],
+    allow_methods=["GET", "POST", "PUT", "DELETE"],
+    allow_headers=["X-API-Key", "Content-Type"],
+)
 
 
 # ---------------------------------------------------------------------------
@@ -41,7 +116,7 @@
 
 
 def _run(script: str, *args: str, timeout: int = 30) -> dict:
-    """Run a conduit script and return stdout, stderr, exit code."""
+    """Run a conduit script and return stdout, exit code. Stderr is logged, not returned."""
     cmd = [str(HERE / script)] + list(args)
     try:
         result = subprocess.run(
@@ -50,13 +125,12 @@ def _run(script: str, *args: str, timeout: int = 30) -> dict:
         return {
             "ok": result.returncode == 0,
             "stdout": result.stdout,
-            "stderr": result.stderr,
             "exit_code": result.returncode,
         }
     except subprocess.TimeoutExpired:
-        return {"ok": False, "stdout": "", "stderr": "Command timed out", "exit_code": -1}
+        return {"ok": False, "stdout": "", "exit_code": -1}
     except FileNotFoundError:
-        return {"ok": False, "stdout": "", "stderr": f"Script not found: {script}", "exit_code": -1}
+        return {"ok": False, "stdout": "", "exit_code": -1}
 
 
 def _read_json(path: Path, default=None):
@@ -84,12 +158,19 @@ def _read_audit(limit: int = 50) -> list[dict]:
         return []
 
 
+def _caddy_admin_url() -> str:
+    """Return validated Caddy admin URL. Restricted to localhost."""
+    if not _CADDY_ADMIN_ALLOWED.match(CADDY_ADMIN_HOST):
+        return "localhost:2019"  # Fallback to safe default
+    return CADDY_ADMIN_HOST
+
+
 def _caddy_status() -> bool:
     """Check if Caddy admin API is reachable."""
-    admin_url = os.environ.get("CONDUIT_CADDY_ADMIN", "localhost:2019")
+    url = _caddy_admin_url()
     try:
         result = subprocess.run(
-            ["curl", "-sf", f"http://{admin_url}/config/"],
+            ["curl", "-sf", f"http://{url}/config/"],
             capture_output=True, timeout=3,
         )
         return result.returncode == 0
@@ -151,17 +232,12 @@ def list_services():
 
 
 @app.post("/api/services")
-def register_service(body: dict):
+def register_service(body: ServiceRegister):
     """Register a new service."""
-    name = body.get("name", "")
-    host = body.get("host", "")
-    health = body.get("health_path", "/")
-    no_tls = body.get("no_tls", False)
-
-    args = ["--name", name, "--host", host]
-    if health and health != "/":
-        args += ["--health", health]
-    if no_tls:
+    args = ["--name", body.name, "--host", body.host]
+    if body.health_path and body.health_path != "/":
+        args += ["--health", body.health_path]
+    if body.no_tls:
         args.append("--no-tls")
 
     result = _run("conduit-register.sh", *args)
@@ -171,17 +247,19 @@ def register_service(body: dict):
 @app.delete("/api/services/{name}")
 def deregister_service(name: str):
     """Deregister a service."""
+    _validate_service_name(name)
     result = _run("conduit-deregister.sh", "--name", name)
     return result
 
 
 @app.get("/api/services/{name}/health")
 def service_health(name: str):
     """Check health of a specific service."""
+    _validate_service_name(name)
     services = _read_json(REGISTRY_PATH, {"services": []}).get("services", [])
     svc = next((s for s in services if s.get("name") == name), None)
     if not svc:
-        return JSONResponse({"error": f"Service '{name}' not found"}, status_code=404)
+        return JSONResponse({"error": "Service not found"}, status_code=404)
     return {"name": name, "status": svc.get("status", "unknown")}
 
 
@@ -198,11 +276,10 @@ def list_dns():
 
 
 @app.post("/api/dns/resolve")
-def resolve_dns(body: dict):
+def resolve_dns(body: DnsResolve):
     """Resolve a domain name."""
-    domain = body.get("domain", "")
-    result = _run("conduit-dns.sh", "--resolve", domain)
-    return {"ok": result["ok"], "domain": domain, "output": result["stdout"]}
+    result = _run("conduit-dns.sh", "--resolve", body.domain)
+    return {"ok": result["ok"], "domain": body.domain, "output": result["stdout"]}
 
 
 @app.post("/api/dns/flush")
@@ -227,13 +304,15 @@ def list_certs():
 @app.post("/api/tls/{name}/rotate")
 def rotate_cert(name: str):
     """Rotate a certificate."""
+    _validate_service_name(name)
     result = _run("conduit-certs.sh", "--rotate", name)
     return result
 
 
 @app.get("/api/tls/{name}/inspect")
 def inspect_cert(name: str):
     """Inspect a certificate."""
+    _validate_service_name(name)
     result = _run("conduit-certs.sh", "--inspect", name)
     return {"ok": result["ok"], "output": result["stdout"]}
 
@@ -291,10 +370,10 @@ def list_routes():
 @app.post("/api/routing/reload")
 def reload_routing():
     """Reload Caddy configuration."""
-    admin_url = os.environ.get("CONDUIT_CADDY_ADMIN", "localhost:2019")
+    url = _caddy_admin_url()
     try:
         result = subprocess.run(
-            ["curl", "-sf", "-X", "POST", f"http://{admin_url}/load"],
+            ["curl", "-sf", "-X", "POST", f"http://{url}/load"],
             capture_output=True, timeout=5,
         )
         return {"ok": result.returncode == 0}
@@ -325,13 +404,17 @@ def get_audit(limit: int = Query(50, ge=1, le=500)):
     app.mount("/assets", StaticFiles(directory=str(UI_ASSETS)), name="assets")
 
 if UI_DIST.exists():
+    _UI_DIST_RESOLVED = UI_DIST.resolve()
 
     @app.get("/{path:path}")
     def spa_fallback(path: str):
-        # Serve specific files from dist (e.g., vite.svg, favicon)
-        file_path = UI_DIST / path
-        if path and file_path.exists() and file_path.is_file():
-            return HTMLResponse(file_path.read_bytes())
+        # Path traversal guard
+        if path:
+            file_path = (UI_DIST / path).resolve()
+            if not str(file_path).startswith(str(_UI_DIST_RESOLVED)):
+                raise HTTPException(403, "Forbidden")
+            if file_path.exists() and file_path.is_file():
+                return FileResponse(str(file_path))
         # SPA fallback: serve index.html for all routes
         index = UI_DIST / "index.html"
         if index.exists():
