fix(security): [CWE-326] validate cookie encryptor config

[WilliamNHarvey]

Security Fix: CWE-326 — Cookie encryptor accepts empty secrets and weak KDF iteration inputs

Summary

Field	Value
Application	cookies
Severity	medium
CWE	CWE-326
Category	crypto
File	cookies.go:19
Confirmed	yes

Vulnerability Description

NewCookieEncryptor accepted caller-provided secret and iterations without rejecting empty secrets, too-short secrets, negative iterations, or low positive iteration counts. Those values flowed directly into the cookie encryption and signing key generator. A consuming service with an empty environment variable or weak iteration configuration could derive predictable or materially weaker cookie keys.

Proof of Exploit

The proof harness constructed NewCookieEncryptor("", 1) and NewCookieEncryptor("", -1). Both produced usable encryptors that could encrypt and decrypt dummy cookie values with matching weak inputs. Runtime startup was intentionally disabled for this static Go library; the issue is source-confirmable because cookies.go passed the inputs directly to the key generator and the pinned dependency only defaulted iterations == 0.

Data Flow

Caller-controlled constructor inputs -> NewCookieEncryptor(secret, iterations) -> goRailsYourself/crypto.KeyGenerator{Secret, Iterations} -> pbkdf2.Key -> cookie encryption and signing key material -> MessageEncryptor protects cookie values.

Changes Made

Added constructor validation and a non-panic constructor path:

• Reject missing or blank secrets.
• Reject secrets shorter than 32 bytes.
• Reject negative iteration counts.
• Reject positive iteration counts below 1000.
• Preserve 0 as the default iteration input and normalize it to 1000.
• Keep the existing NewCookieEncryptor signature, now panicking on unsafe configuration.
• Add NewCookieEncryptorWithError for callers that need to handle validation failures explicitly.

Before / After

Before:

func NewCookieEncryptor(secret string, iterations int) *CookieEncryptor {
	kg := crypto.KeyGenerator{Secret: secret, Iterations: iterations}
	// ...
}

After:

func NewCookieEncryptor(secret string, iterations int) *CookieEncryptor {
	ce, err := NewCookieEncryptorWithError(secret, iterations)
	if err != nil {
		panic(err)
	}

	return ce
}

HIPAA / PII Impact Assessment

This fix strengthens confidentiality and integrity for encrypted cookie contents that may gate access to patient data in consuming services. It does not log, expose, or transform PHI/PII.

Testing

• Regression test added or exact existing spec cited: go test -v ./...
• Existing tests pass
• Proof-of-exploit no longer works after fix
• No regression in authentication/authorization flows
• RuboCop/lint passes for changed Ruby files: N/A, Go library; go vet ./... passed

QA

This repository is a backend Go library/package with no browser, admin UI, or running service surface. Manual validation is local/API-level:

1. Run go test -v ./....
2. Confirm TestNewCookieEncryptorRejectsWeakConfig rejects empty, blank, short-secret, negative-iteration, and low-iteration inputs.
3. Confirm TestNewCookieEncryptorAcceptsDefaultAndMinimumIterations still encrypts/decrypts with a valid 32-byte secret and supported iteration values.

Reviewers

Ready-for-review PRs request @doximity/security_guild_reviewers (AppSec) plus
CODEOWNERS for the changed paths. Draft PRs intentionally defer security-guild
review requests until the PR is validated and marked ready. Both must approve
before merge.

---

This PR was auto-generated by the security-auditor agent.
The "Agent run cost" block is appended to this description automatically after
the audit run completes.