fix: add max port range validation to prevent DoS scans

backend/secuscan/config.py

@@ -1,5 +1,5 @@
 """
-Configuration management for SecuScan backend
+Configuration manFagement for SecuScan backend
 """
 
 from pathlib import Path
@@ -11,15 +11,15 @@
 
 PROJECT_ROOT = Path(__file__).resolve().parent.parent
 
-
 class Settings(BaseSettings):
     """Application settings loaded from environment variables"""
 
     # Server Configuration
     bind_address: str = "127.0.0.1"
     bind_port: int = 8000
     debug: bool = True
-
+
+    max_port_range_size: int = 1000
     # Primary data store
     database_path: str = str(PROJECT_ROOT / "data" / "secuscan.db")
 

backend/secuscan/validation.py

@@ -141,12 +141,16 @@ def validate_port_range(port_range: str) -> Tuple[bool, str]:
         return True, ""
 
     # Handle port ranges
+# Handle port ranges
     if '-' in port_range:
         try:
             start, end = map(int, port_range.split('-'))
             if start > end:
                 return False, "Port range start must be less than end"
 
+            if (end - start) > settings.max_port_range_size:
+                return False, f"Port range too large (max {settings.max_port_range_size} ports allowed)"
+
             is_valid, msg = validate_port(start)
             if not is_valid:
                 return False, msg
@@ -198,7 +202,7 @@ def sanitize_input(value: str) -> str:
         Sanitized value
     """
     # Remove shell metacharacters
-    dangerous_chars = [';', '|', '&', '$', '`', '(', ')', '<', '>', '\n', '\r']
+    dangerous_chars = [';', '|', '&', '$', '`', '(', ')', '<', '>', '\n', '\r', "'", '"', '\\', '!', '{', '}']
     for char in dangerous_chars:
         value = value.replace(char, '')
 

docs/incident-response-runbook.md

@@ -0,0 +1,58 @@
+# Incident Response Runbook — SecuScan
+
+## 1. Leaked Vault Keys
+
+### Detection
+
+- Check logs for unauthorized access: `grep "vault" logs/secuscan.log`
+- Verify key usage timestamps in audit trail
+
+### Response Steps
+
+1. **Immediately revoke** the compromised key
+2. **Rotate** all vault keys: generate new keys, re-encrypt stored secrets
+3. **Invalidate** all active sessions and tokens
+4. **Audit** which reports used the compromised key
+5. **Notify** affected users
+
+### Verification
+
+```bash
+# Confirm new key is active
+python -m secuscan verify-vault-keys
+
+# Confirm old key is revoked
+python -m secuscan list-vault-keys --status
+```
+
+## 2. Compromised Plugins
+
+### Detection
+
+- Monitor plugin execution logs for anomalous behavior
+- Check plugin integrity hashes
+
+### Response Steps
+
+1. **Isolate** — disable the plugin immediately
+2. **Preserve logs** before any cleanup
+3. **Audit** all scans that used the compromised plugin
+4. **Restore** from last known clean state
+
+### Verification
+
+```bash
+# List active plugins
+python -m secuscan plugins --list
+
+# Disable compromised plugin
+python -m secuscan plugins --disable <plugin-name>
+```
+
+## 3. Restoring Clean State
+
+1. Stop all running scans
+2. Rotate all credentials
+3. Re-validate plugin integrity
+4. Run full test suite: `pytest tests/`
+5. Confirm system health before resuming

testing/backend/unit/test_validation.py

@@ -86,10 +86,9 @@ def test_validate_port_range():
     assert validate_port_range("22,80,443") == (True, "")
 
     # Mixed comma + range — this was the bug
-    assert validate_port_range("80,443-8080") == (True, "")
-    assert validate_port_range("22,80,443-8080") == (True, "")
-    assert validate_port_range("22,80-90,443,8000-9000") == (True, "")
-
+    assert validate_port_range("80,443-500") == (True, "")
+    assert validate_port_range("22,80,443-500") == (True, "")
+    assert validate_port_range("22,80-90,443,8000-8100") == (True, "")
     # Invalid: out-of-range port
     assert validate_port_range("99999")[0] is False
     assert validate_port_range("80,99999")[0] is False