alee/fieldwitness
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix 12 security findings from adversarial audit
Some checks failed
CI / typecheck (push) Waiting to run
Details
CI / lint (push) Has been cancelled
Details

Browse Source 
CRITICAL:
- #1+#2: Consistency proof verification no longer a stub — implements
  actual hash chain reconstruction from proof hashes, rejects proofs
  that don't reconstruct to the expected root. GossipNode._verify_consistency
  now calls verify_consistency_proof() instead of just checking sizes.
- #3: Remove passphrase.lower() from KDF — was silently discarding
  case entropy from mixed-case passphrases. Passphrases are now
  case-sensitive as users would expect.
- #4: Federation gossip now applies record_filter (trust store check)
  on every received record before appending to the log. Untrusted
  attestor fingerprints are rejected with a warning.
- #5: Killswitch disables all logging BEFORE activation to prevent
  audit log from recording killswitch activity that could survive an
  interrupted purge. Audit log destruction moved to position 4 (right
  after keys + flask secret, before other data).

HIGH:
- #6: CSRF exemption narrowed from entire dropbox blueprint to only
  the upload view function. Admin routes retain CSRF protection.
- #7: /health endpoint returns only {"status":"ok"} to anonymous
  callers. Full operational report requires authentication.
- #8: Metadata stripping now reconstructs image from pixel data only
  (Image.new + putdata), stripping XMP, IPTC, and ICC profiles — not
  just EXIF.
- #9: Same as #6 (CSRF scope fix).

MEDIUM:
- #11: Receipt HMAC key changed from public upload token to server-side
  secret key, making valid receipts unforgeable by the source or anyone
  who captured the upload URL.
- #12: Docker CMD no longer defaults to --no-https. HTTPS with
  self-signed cert is the default; --no-https requires explicit opt-in.
- #14: shred return code now checked — non-zero exit falls through to
  the zero-overwrite fallback instead of silently succeeding.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Aaron D. Lee
2026-04-01 23:31:03 -04:00
parent 496198d49a
commit 2629aabcc5
8 changed files with 128 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
frontends/web/blueprints/dropbox.py
View File

@@ -235,12 +235,16 @@ def upload(token):
except Exception:
pass # Attestation is best-effort; don't fail the upload
# Receipt code derived from file hash via HMAC — the source can
# independently verify their receipt corresponds to specific content
# Receipt code derived from file hash via HMAC with a server-side
# secret. The source cannot pre-compute this (the token alone is
# insufficient), making valid receipts unforgeable.
import hmac
from soosef.paths import SECRET_KEY_FILE
server_secret = SECRET_KEY_FILE.read_bytes() if SECRET_KEY_FILE.exists() else token.encode()
receipt_code = hmac.new(
token.encode(), sha256.encode(), hashlib.sha256
server_secret, sha256.encode(), hashlib.sha256
).hexdigest()[:16]
receipts.append({