diff --git a/backend/secuscan/config.py b/backend/secuscan/config.py index e05e573c..7b30e36f 100644 --- a/backend/secuscan/config.py +++ b/backend/secuscan/config.py @@ -1,5 +1,5 @@ """ -Configuration management for SecuScan backend +Configuration manFagement for SecuScan backend """ from pathlib import Path @@ -11,7 +11,6 @@ PROJECT_ROOT = Path(__file__).resolve().parent.parent - class Settings(BaseSettings): """Application settings loaded from environment variables""" @@ -19,7 +18,8 @@ class Settings(BaseSettings): bind_address: str = "127.0.0.1" bind_port: int = 8000 debug: bool = True - + + max_port_range_size: int = 1000 # Primary data store database_path: str = str(PROJECT_ROOT / "data" / "secuscan.db") diff --git a/backend/secuscan/validation.py b/backend/secuscan/validation.py index 495edfa3..54e072df 100644 --- a/backend/secuscan/validation.py +++ b/backend/secuscan/validation.py @@ -141,12 +141,16 @@ def validate_port_range(port_range: str) -> Tuple[bool, str]: return True, "" # Handle port ranges +# Handle port ranges if '-' in port_range: try: start, end = map(int, port_range.split('-')) if start > end: return False, "Port range start must be less than end" + if (end - start) > settings.max_port_range_size: + return False, f"Port range too large (max {settings.max_port_range_size} ports allowed)" + is_valid, msg = validate_port(start) if not is_valid: return False, msg @@ -198,7 +202,7 @@ def sanitize_input(value: str) -> str: Sanitized value """ # Remove shell metacharacters - dangerous_chars = [';', '|', '&', '$', '`', '(', ')', '<', '>', '\n', '\r'] + dangerous_chars = [';', '|', '&', '$', '`', '(', ')', '<', '>', '\n', '\r', "'", '"', '\\', '!', '{', '}'] for char in dangerous_chars: value = value.replace(char, '') diff --git a/docs/incident-response-runbook.md b/docs/incident-response-runbook.md new file mode 100644 index 00000000..aacd5be7 --- /dev/null +++ b/docs/incident-response-runbook.md @@ -0,0 +1,58 @@ +# Incident Response Runbook — SecuScan + +## 1. Leaked Vault Keys + +### Detection + +- Check logs for unauthorized access: `grep "vault" logs/secuscan.log` +- Verify key usage timestamps in audit trail + +### Response Steps + +1. **Immediately revoke** the compromised key +2. **Rotate** all vault keys: generate new keys, re-encrypt stored secrets +3. **Invalidate** all active sessions and tokens +4. **Audit** which reports used the compromised key +5. **Notify** affected users + +### Verification + +```bash +# Confirm new key is active +python -m secuscan verify-vault-keys + +# Confirm old key is revoked +python -m secuscan list-vault-keys --status +``` + +## 2. Compromised Plugins + +### Detection + +- Monitor plugin execution logs for anomalous behavior +- Check plugin integrity hashes + +### Response Steps + +1. **Isolate** — disable the plugin immediately +2. **Preserve logs** before any cleanup +3. **Audit** all scans that used the compromised plugin +4. **Restore** from last known clean state + +### Verification + +```bash +# List active plugins +python -m secuscan plugins --list + +# Disable compromised plugin +python -m secuscan plugins --disable +``` + +## 3. Restoring Clean State + +1. Stop all running scans +2. Rotate all credentials +3. Re-validate plugin integrity +4. Run full test suite: `pytest tests/` +5. Confirm system health before resuming diff --git a/testing/backend/unit/test_validation.py b/testing/backend/unit/test_validation.py index 0e5d8321..c7f38572 100644 --- a/testing/backend/unit/test_validation.py +++ b/testing/backend/unit/test_validation.py @@ -86,10 +86,9 @@ def test_validate_port_range(): assert validate_port_range("22,80,443") == (True, "") # Mixed comma + range — this was the bug - assert validate_port_range("80,443-8080") == (True, "") - assert validate_port_range("22,80,443-8080") == (True, "") - assert validate_port_range("22,80-90,443,8000-9000") == (True, "") - + assert validate_port_range("80,443-500") == (True, "") + assert validate_port_range("22,80,443-500") == (True, "") + assert validate_port_range("22,80-90,443,8000-8100") == (True, "") # Invalid: out-of-range port assert validate_port_range("99999")[0] is False assert validate_port_range("80,99999")[0] is False