javascript-solid-server 0.0.71 → 0.0.72

package/SECURITY-AUDIT-2026-01-15.md

@@ -1,514 +0,0 @@
-# JSS Deep Security Audit Report
-
-**Date:** 2026-01-15  
-**Auditor:** Comprehensive Security Review  
-**Version Audited:** 0.0.51  
-**Previous Audit:** 2026-01-03 (v0.0.48)
-
----
-
-## Executive Summary
-
-A comprehensive security audit of JavaScriptSolidServer (v0.0.51) revealed **1 critical**, **3 high**, **5 medium**, and **4 low** severity vulnerabilities. While previous critical issues (ACL bypass, JWT signature verification, SSRF) have been fixed, new vulnerabilities were discovered in path traversal protection, input validation, and denial-of-service resistance.
-
-**Overall Security Posture:** 🟡 **Moderate Risk** - Critical path traversal vulnerability requires immediate attention.
-
----
-
-## Critical Vulnerabilities
-
-### 1. Path Traversal Vulnerability in `urlToPath` (CRITICAL) ⚠️
-
-**Location:** `src/utils/url.js:23-32`
-
-**Description:** The path traversal protection in `urlToPath()` and `urlToPathWithPod()` is insufficient and can be bypassed using multiple techniques.
-
-**Vulnerable Code:**
-
-```javascript
-export function urlToPath(urlPath) {
-  let normalized = urlPath.startsWith('/') ? urlPath.slice(1) : urlPath
-  normalized = decodeURIComponent(normalized)
-
-  // Security: prevent path traversal
-  normalized = normalized.replace(/\.\./g, '') // ❌ INSUFFICIENT
-
-  return path.join(getDataRoot(), normalized)
-}
-```
-
-**Attack Vectors:**
-
-1. **Double-dot bypass:** `....//` → after replacement becomes `../`
-2. **URL encoding bypass:** `%2e%2e%2f` → decodes to `../` after replacement
-3. **Mixed encoding:** `%2e.` → decodes to `..` after replacement
-4. **Path separator injection:** `path.join()` doesn't prevent traversal if normalized still contains `/` or `\`
-
-**Proof of Concept:**
-
-```bash
-# Bypass 1: Double-dot
-GET /alice/....//etc/passwd
-
-# Bypass 2: URL encoding
-GET /alice/%2e%2e%2f%2e%2e%2fetc%2fpasswd
-
-# Bypass 3: Mixed
-GET /alice/%2e./%2e./etc/passwd
-
-# Bypass 4: Windows path separator
-GET /alice/..\..\etc\passwd
-```
-
-**Impact:**
-
-- Read arbitrary files outside DATA_ROOT
-- Write arbitrary files (if write permission exists)
-- Access other pods' data in multi-user mode
-- Potential remote code execution if sensitive config files are overwritten
-
-**CVSS Score:** 9.1 (Critical)
-
-**Fix Required:**
-
-```javascript
-export function urlToPath(urlPath) {
-  let normalized = urlPath.startsWith('/') ? urlPath.slice(1) : urlPath
-  normalized = decodeURIComponent(normalized)
-
-  // Remove all path traversal attempts (multiple passes)
-  normalized = normalized.replace(/\.\./g, '')
-  normalized = normalized.replace(/\.\./g, '') // Second pass for ....//
-
-  // Resolve to absolute path and check it's within DATA_ROOT
-  const resolved = path.resolve(getDataRoot(), normalized)
-  const dataRoot = path.resolve(getDataRoot())
-
-  if (!resolved.startsWith(dataRoot + path.sep) && resolved !== dataRoot) {
-    throw new Error('Path traversal detected')
-  }
-
-  return resolved
-}
-```
-
----
-
-## High Severity Vulnerabilities
-
-### 2. JSON.parse DoS via Malicious Input (HIGH)
-
-**Location:** Multiple files (17 instances found)
-
-**Description:** `JSON.parse()` is called on user-controlled input without size limits or try-catch in several locations, allowing denial-of-service attacks via:
-
-- Deeply nested JSON structures
-- Large JSON payloads
-- Malformed JSON causing parser hangs
-
-**Vulnerable Locations:**
-
-- `src/handlers/resource.js:89, 271, 294, 653, 670` - HTML data island extraction
-- `src/auth/nostr.js:87` - Nostr event decoding
-- `src/idp/interactions.js:62, 75, 321` - Form body parsing
-- `src/rdf/conneg.js:140` - Content negotiation
-- `src/wac/parser.js:40` - ACL parsing
-
-**Impact:**
-
-- Server resource exhaustion (CPU, memory)
-- Request timeouts
-- Potential service unavailability
-
-**CVSS Score:** 7.5 (High)
-
-**Fix Required:** Add size limits and proper error handling:
-
-```javascript
-// Example fix for resource.js
-try {
-  const maxSize = 10 * 1024 * 1024 // 10MB limit
-  if (jsonLdMatch[1].length > maxSize) {
-    throw new Error('JSON-LD data island too large')
-  }
-  const jsonLd = JSON.parse(jsonLdMatch[1])
-} catch (e) {
-  if (e instanceof SyntaxError) {
-    return reply.code(400).send({ error: 'Invalid JSON-LD' })
-  }
-  throw e
-}
-```
-
----
-
-### 3. SPARQL Update Injection Risk (HIGH)
-
-**Location:** `src/patch/sparql-update.js:22-85`
-
-**Description:** The SPARQL Update parser uses regex-based parsing with fallback to simple pattern matching. This can be exploited to:
-
-- Inject malicious SPARQL constructs
-- Bypass intended DELETE/INSERT operations
-- Cause parser errors leading to information disclosure
-
-**Vulnerable Code:**
-
-```javascript
-// Regex-based parsing without proper validation
-const insertDataMatch = query.match(/INSERT\s+DATA\s*\{([^}]+)\}/is)
-const deleteDataMatch = query.match(/DELETE\s+DATA\s*\{([^}]+)\}/is)
-```
-
-**Attack Vector:**
-
-```sparql
-INSERT DATA {
-  <#malicious> <predicate> "value" .
-} INSERT DATA {
-  <#legitimate> <predicate> "value" .
-}
-```
-
-**Impact:**
-
-- Unauthorized data modification
-- Data corruption
-- ACL bypass through unexpected triple insertions
-
-**CVSS Score:** 8.1 (High)
-
-**Fix Required:** Use proper SPARQL parser library or implement strict validation.
-
----
-
-### 4. WebSocket DoS via Subscription Spam (HIGH)
-
-**Location:** `src/notifications/websocket.js:34-53`
-
-**Description:** WebSocket connections can subscribe to unlimited URLs without rate limiting, allowing:
-
-- Memory exhaustion via subscription spam
-- CPU exhaustion via broadcast storms
-- Resource exhaustion attacks
-
-**Vulnerable Code:**
-
-```javascript
-socket.on('message', message => {
-  const msg = message.toString().trim()
-  if (msg.startsWith('sub ')) {
-    const url = msg.slice(4).trim()
-    if (url) {
-      subscribe(socket, url) // ❌ No limits
-      socket.send(`ack ${url}`)
-    }
-  }
-})
-```
-
-**Impact:**
-
-- Server memory exhaustion
-- CPU exhaustion during broadcasts
-- Service unavailability
-
-**CVSS Score:** 7.5 (High)
-
-**Fix Required:** Implement per-connection subscription limits:
-
-```javascript
-const MAX_SUBSCRIPTIONS_PER_CONNECTION = 100
-const socketSubs = subscriptions.get(socket)
-if (socketSubs && socketSubs.size >= MAX_SUBSCRIPTIONS_PER_CONNECTION) {
-  socket.send('error: Subscription limit exceeded')
-  return
-}
-```
-
----
-
-## Medium Severity Vulnerabilities
-
-### 5. Insufficient Rate Limiting Coverage (MEDIUM)
-
-**Location:** `src/server.js:131-143`
-
-**Description:** Rate limiting is configured but not applied to all sensitive endpoints:
-
-- PATCH operations (can be expensive)
-- DELETE operations (destructive)
-- WebSocket connections (no rate limit)
-- OIDC token endpoint (credential stuffing)
-
-**Impact:**
-
-- Brute force attacks on authentication
-- Resource exhaustion via rapid requests
-- DoS via expensive operations
-
-**CVSS Score:** 5.3 (Medium)
-
-**Fix Required:** Apply rate limiting to all write operations and authentication endpoints.
-
----
-
-### 6. Information Disclosure via Error Messages (MEDIUM)
-
-**Location:** Multiple handlers
-
-**Description:** Error messages may reveal:
-
-- Internal file paths
-- Stack traces in development mode
-- Database structure hints
-- System architecture details
-
-**Examples:**
-
-- `src/handlers/resource.js:502` - Turtle parsing errors expose internal paths
-- `src/patch/sparql-update.js:696` - SPARQL errors reveal query structure
-
-**Impact:**
-
-- Information useful for further attacks
-- System fingerprinting
-- Path enumeration
-
-**CVSS Score:** 4.3 (Medium)
-
-**Fix Required:** Sanitize error messages in production:
-
-```javascript
-if (process.env.NODE_ENV === 'production') {
-  return reply.code(400).send({ error: 'Invalid request' })
-} else {
-  return reply
-    .code(400)
-    .send({ error: 'Invalid request', details: err.message })
-}
-```
-
----
-
-### 7. Missing Input Validation on Slug Header (MEDIUM)
-
-**Location:** `src/handlers/container.js:55, 62`
-
-**Description:** The `Slug` header in POST requests is sanitized but not fully validated:
-
-- No length limit
-- No character set validation beyond path traversal
-- Can create files with problematic names
-
-**Vulnerable Code:**
-
-```javascript
-const slug = request.headers.slug
-const filename = await storage.generateUniqueFilename(
-  storagePath,
-  slug,
-  isCreatingContainer
-)
-```
-
-**Impact:**
-
-- Filesystem issues with special characters
-- Potential path confusion attacks
-- Unicode normalization issues
-
-**CVSS Score:** 4.9 (Medium)
-
-**Fix Required:** Add strict validation:
-
-```javascript
-if (slug && slug.length > 255) {
-  return reply.code(400).send({ error: 'Slug too long' })
-}
-if (slug && !/^[a-zA-Z0-9._-]+$/.test(slug)) {
-  return reply.code(400).send({ error: 'Invalid slug format' })
-}
-```
-
----
-
-### 8. RDF Parsing DoS via Billion Laughs Attack (MEDIUM)
-
-**Location:** `src/rdf/turtle.js:32-56`, `src/rdf/conneg.js`
-
-**Description:** Turtle/N3 parsing doesn't limit:
-
-- Quad count
-- Prefix expansion depth
-- Recursive entity references
-
-**Impact:**
-
-- Memory exhaustion via large RDF documents
-- CPU exhaustion via complex parsing
-- Service unavailability
-
-**CVSS Score:** 5.3 (Medium)
-
-**Fix Required:** Add parsing limits:
-
-```javascript
-const MAX_QUADS = 100000
-const MAX_PREFIXES = 1000
-// Enforce limits during parsing
-```
-
----
-
-### 9. Missing CSRF Protection on State-Changing Operations (MEDIUM)
-
-**Location:** All PUT/PATCH/DELETE handlers
-
-**Description:** No CSRF tokens or SameSite cookie protection for state-changing operations. While Solid-OIDC DPoP tokens provide some protection, simple Bearer tokens are vulnerable.
-
-**Impact:**
-
-- Cross-site request forgery
-- Unauthorized data modification
-- Account takeover (if combined with XSS)
-
-**CVSS Score:** 6.1 (Medium)
-
-**Fix Required:** Implement CSRF protection for non-DPoP tokens or require SameSite cookies.
-
----
-
-## Low Severity Vulnerabilities
-
-### 10. Weak Path Traversal Protection in `generateUniqueFilename` (LOW)
-
-**Location:** `src/storage/filesystem.js:132-150`
-
-**Description:** Only removes `/` and `\` but doesn't validate the final path is within bounds.
-
-**Impact:** Limited - only affects POST slug generation, not direct path access.
-
-**CVSS Score:** 3.1 (Low)
-
----
-
-### 11. Missing Content-Length Validation (LOW)
-
-**Location:** Request body handlers
-
-**Description:** `bodyLimit` is set to 10MB but no per-request validation of Content-Length header.
-
-**Impact:** Potential for request smuggling or resource exhaustion.
-
-**CVSS Score:** 3.5 (Low)
-
----
-
-### 12. Insufficient Logging of Security Events (LOW)
-
-**Location:** Authentication and authorization handlers
-
-**Description:** Failed authentication attempts are logged but not rate-limited or blocked after repeated failures.
-
-**Impact:** Difficulty detecting brute force attacks.
-
-**CVSS Score:** 2.5 (Low)
-
----
-
-### 13. CORS Headers Allow All Origins (LOW)
-
-**Location:** `src/ldp/headers.js`
-
-**Description:** CORS headers allow requests from any origin (`*`). While necessary for Solid interoperability, this increases XSS risk.
-
-**Impact:** Increased XSS attack surface.
-
-**CVSS Score:** 3.1 (Low)
-
-**Note:** This may be intentional for Solid protocol compliance.
-
----
-
-## Positive Security Findings
-
-✅ **Fixed Issues from Previous Audit:**
-
-- ACL bypass (v0.0.49) - Now requires Control permission
-- JWT signature verification (v0.0.49) - Properly verifies against JWKS
-- SSRF protection (v0.0.50) - URL validation implemented
-- Pod creation abuse (v0.0.51) - Rate limited
-- Default token secret (v0.0.51) - Fails in production if not set
-- Rate limiting (v0.0.51) - Basic rate limiting added
-
-✅ **Good Security Practices:**
-
-- Constant-time comparison for HMAC verification
-- Proper bcrypt usage for password hashing
-- DPoP proof validation with timestamp checks
-- SSRF protection with DNS rebinding prevention
-- Path traversal attempt in `generateUniqueFilename`
-- WAC authorization properly implemented
-- No `eval()` or `Function()` usage found
-
----
-
-## Recommendations
-
-### Immediate Actions (Critical/High)
-
-1. **Fix path traversal vulnerability** - Implement proper path resolution and validation
-2. **Add JSON.parse size limits** - Prevent DoS via malicious JSON
-3. **Harden SPARQL parser** - Use proper parser or strict validation
-4. **Limit WebSocket subscriptions** - Prevent memory exhaustion
-
-### Short-term Actions (Medium)
-
-5. **Expand rate limiting** - Cover all write operations and auth endpoints
-6. **Sanitize error messages** - Remove internal details in production
-7. **Validate Slug header** - Add length and character restrictions
-8. **Add RDF parsing limits** - Prevent Billion Laughs attacks
-
-### Long-term Actions (Low)
-
-9. **Implement CSRF protection** - For non-DPoP authentication
-10. **Enhanced security logging** - Track and alert on suspicious patterns
-11. **Security headers** - Add HSTS, CSP, X-Frame-Options where appropriate
-12. **Regular security audits** - Schedule quarterly reviews
-
----
-
-## Testing Recommendations
-
-1. **Fuzz testing** - Path traversal, JSON parsing, SPARQL parsing
-2. **Load testing** - WebSocket subscriptions, concurrent requests
-3. **Penetration testing** - Full security assessment
-4. **Dependency scanning** - Check for vulnerable npm packages
-
----
-
-## Remediation Priority
-
-| Priority | Issue              | Severity | Effort | Target Version |
-| -------- | ------------------ | -------- | ------ | -------------- |
-| P0       | Path traversal     | Critical | Medium | v0.0.52        |
-| P1       | JSON.parse DoS     | High     | Low    | v0.0.52        |
-| P1       | WebSocket DoS      | High     | Low    | v0.0.52        |
-| P2       | SPARQL injection   | High     | High   | v0.0.53        |
-| P2       | Rate limiting gaps | Medium   | Medium | v0.0.53        |
-| P3       | Error disclosure   | Medium   | Low    | v0.0.54        |
-| P3       | Input validation   | Medium   | Low    | v0.0.54        |
-
----
-
-## Conclusion
-
-While significant security improvements have been made since the previous audit, the path traversal vulnerability requires immediate attention. The codebase shows good security awareness with proper authentication, authorization, and SSRF protection. However, input validation and DoS resistance need strengthening.
-
-**Overall Assessment:** The server is suitable for production use after fixing the critical path traversal issue and implementing the high-priority recommendations.
-
----
-
-_Report generated: 2026-01-15_  
-_Next audit recommended: 2026-04-15_