From 5e4d4a195d57ef33e188f0d48a03fe7b8a1c0b0e Mon Sep 17 00:00:00 2001 From: dinesh Date: Tue, 26 May 2026 14:31:03 +0530 Subject: [PATCH 1/5] fix: add missing quote and backslash chars to sanitize_input to prevent command injection --- backend/secuscan/validation.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backend/secuscan/validation.py b/backend/secuscan/validation.py index 495edfa3..b6148609 100644 --- a/backend/secuscan/validation.py +++ b/backend/secuscan/validation.py @@ -198,7 +198,7 @@ def sanitize_input(value: str) -> str: Sanitized value """ # Remove shell metacharacters - dangerous_chars = [';', '|', '&', '$', '`', '(', ')', '<', '>', '\n', '\r'] + dangerous_chars = [';', '|', '&', '$', '`', '(', ')', '<', '>', '\n', '\r', "'", '"', '\\', '!', '{', '}'] for char in dangerous_chars: value = value.replace(char, '') From a38a0bd72736fc527ec7a1ea1d0a0546204d83c6 Mon Sep 17 00:00:00 2001 From: dinesh Date: Tue, 26 May 2026 14:34:33 +0530 Subject: [PATCH 2/5] docs: add incident response runbook for leaked vault keys and compromised plugins --- docs/incident-response-runbook.md | 58 +++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 docs/incident-response-runbook.md diff --git a/docs/incident-response-runbook.md b/docs/incident-response-runbook.md new file mode 100644 index 00000000..aacd5be7 --- /dev/null +++ b/docs/incident-response-runbook.md @@ -0,0 +1,58 @@ +# Incident Response Runbook — SecuScan + +## 1. Leaked Vault Keys + +### Detection + +- Check logs for unauthorized access: `grep "vault" logs/secuscan.log` +- Verify key usage timestamps in audit trail + +### Response Steps + +1. **Immediately revoke** the compromised key +2. **Rotate** all vault keys: generate new keys, re-encrypt stored secrets +3. **Invalidate** all active sessions and tokens +4. **Audit** which reports used the compromised key +5. **Notify** affected users + +### Verification + +```bash +# Confirm new key is active +python -m secuscan verify-vault-keys + +# Confirm old key is revoked +python -m secuscan list-vault-keys --status +``` + +## 2. Compromised Plugins + +### Detection + +- Monitor plugin execution logs for anomalous behavior +- Check plugin integrity hashes + +### Response Steps + +1. **Isolate** — disable the plugin immediately +2. **Preserve logs** before any cleanup +3. **Audit** all scans that used the compromised plugin +4. **Restore** from last known clean state + +### Verification + +```bash +# List active plugins +python -m secuscan plugins --list + +# Disable compromised plugin +python -m secuscan plugins --disable +``` + +## 3. Restoring Clean State + +1. Stop all running scans +2. Rotate all credentials +3. Re-validate plugin integrity +4. Run full test suite: `pytest tests/` +5. Confirm system health before resuming From 3769e97985e1a1029a187e6a8f327259f315fb8d Mon Sep 17 00:00:00 2001 From: dinesh Date: Tue, 26 May 2026 14:31:03 +0530 Subject: [PATCH 3/5] fix: limit excessive port scan ranges to prevent DoS --- backend/secuscan/validation.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/backend/secuscan/validation.py b/backend/secuscan/validation.py index b6148609..54e072df 100644 --- a/backend/secuscan/validation.py +++ b/backend/secuscan/validation.py @@ -141,12 +141,16 @@ def validate_port_range(port_range: str) -> Tuple[bool, str]: return True, "" # Handle port ranges +# Handle port ranges if '-' in port_range: try: start, end = map(int, port_range.split('-')) if start > end: return False, "Port range start must be less than end" + if (end - start) > settings.max_port_range_size: + return False, f"Port range too large (max {settings.max_port_range_size} ports allowed)" + is_valid, msg = validate_port(start) if not is_valid: return False, msg From 5d2732ac0725d0913b8007f1805265b3512d9a2d Mon Sep 17 00:00:00 2001 From: dinesh Date: Tue, 26 May 2026 14:58:55 +0530 Subject: [PATCH 4/5] fix: add max_port_range_size setting --- backend/secuscan/config.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/backend/secuscan/config.py b/backend/secuscan/config.py index e05e573c..7b30e36f 100644 --- a/backend/secuscan/config.py +++ b/backend/secuscan/config.py @@ -1,5 +1,5 @@ """ -Configuration management for SecuScan backend +Configuration manFagement for SecuScan backend """ from pathlib import Path @@ -11,7 +11,6 @@ PROJECT_ROOT = Path(__file__).resolve().parent.parent - class Settings(BaseSettings): """Application settings loaded from environment variables""" @@ -19,7 +18,8 @@ class Settings(BaseSettings): bind_address: str = "127.0.0.1" bind_port: int = 8000 debug: bool = True - + + max_port_range_size: int = 1000 # Primary data store database_path: str = str(PROJECT_ROOT / "data" / "secuscan.db") From ac4c1d85340ea28c12c5de880e04213722d0d5fd Mon Sep 17 00:00:00 2001 From: dinesh Date: Tue, 26 May 2026 15:08:28 +0530 Subject: [PATCH 5/5] test: update port range validation test cases --- testing/backend/unit/test_validation.py | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/testing/backend/unit/test_validation.py b/testing/backend/unit/test_validation.py index 0e5d8321..c7f38572 100644 --- a/testing/backend/unit/test_validation.py +++ b/testing/backend/unit/test_validation.py @@ -86,10 +86,9 @@ def test_validate_port_range(): assert validate_port_range("22,80,443") == (True, "") # Mixed comma + range — this was the bug - assert validate_port_range("80,443-8080") == (True, "") - assert validate_port_range("22,80,443-8080") == (True, "") - assert validate_port_range("22,80-90,443,8000-9000") == (True, "") - + assert validate_port_range("80,443-500") == (True, "") + assert validate_port_range("22,80,443-500") == (True, "") + assert validate_port_range("22,80-90,443,8000-8100") == (True, "") # Invalid: out-of-range port assert validate_port_range("99999")[0] is False assert validate_port_range("80,99999")[0] is False