tlc-claude-code 1.4.8 → 1.4.9

package/server/lib/security/network-policy.js

@@ -0,0 +1,174 @@
+/**
+ * Network Security Policy Module
+ *
+ * Validates network configuration for container security.
+ */
+
+const DATABASE_IMAGES = [/postgres/i, /mysql/i, /mariadb/i, /mongo/i, /redis/i, /elasticsearch/i];
+const DATABASE_PORTS = ['5432', '3306', '27017', '6379', '9200', '9300'];
+
+function isDatabase(name, service) {
+  if (DATABASE_IMAGES.some(p => p.test(service.image || ''))) return true;
+  if (/db|database|postgres|mysql|mongo|redis/i.test(name)) return true;
+  return false;
+}
+
+export function validateNetworkConfig(config) {
+  const findings = [];
+  const services = config.services || {};
+  const networks = config.networks || {};
+
+  const hasCustomNetworks = Object.keys(networks).length > 0;
+  const servicesUsingNetworks = Object.values(services).filter(s => s.networks?.length > 0);
+
+  if (!hasCustomNetworks || servicesUsingNetworks.length === 0) {
+    findings.push({
+      rule: 'no-default-bridge',
+      severity: 'medium',
+      message: 'Services using default bridge network. Define custom networks for isolation.',
+      fix: 'Create custom networks and assign services to them.',
+    });
+  }
+
+  // Check database network isolation
+  for (const [name, service] of Object.entries(services)) {
+    if (isDatabase(name, service) && service.networks) {
+      const hasInternalNetwork = service.networks.some(netName => networks[netName]?.internal === true);
+      if (!hasInternalNetwork) {
+        findings.push({
+          rule: 'database-internal-only',
+          severity: 'high',
+          service: name,
+          message: `Database '${name}' should be on internal network only.`,
+          fix: 'Add "internal: true" to database network.',
+        });
+      }
+    }
+  }
+
+  // Check for network segmentation
+  const networkUsage = {};
+  for (const [name, service] of Object.entries(services)) {
+    for (const net of service.networks || []) {
+      networkUsage[net] = networkUsage[net] || [];
+      networkUsage[net].push(name);
+    }
+  }
+
+  const sharedNetworks = Object.entries(networkUsage).filter(([, svcs]) => svcs.length > 2);
+  if (sharedNetworks.length > 0 && Object.keys(networks).length === 1) {
+    findings.push({
+      rule: 'recommend-network-segmentation',
+      severity: 'low',
+      message: 'Multiple services share single network. Consider segmenting by function.',
+      fix: 'Create separate networks for frontend, backend, and data tiers.',
+    });
+  }
+
+  return { findings, score: Math.max(0, 100 - findings.length * 15) };
+}
+
+export function analyzeNetworkTopology(config) {
+  const services = config.services || {};
+  const networks = config.networks || {};
+  const topology = { services: {}, networks: {}, externalAccessPoints: [] };
+
+  // Map services to networks
+  for (const [name, service] of Object.entries(services)) {
+    topology.services[name] = {
+      networks: service.networks || [],
+      canReach: [],
+      ports: service.ports || [],
+    };
+    if (service.ports?.length > 0) {
+      topology.externalAccessPoints.push(name);
+    }
+  }
+
+  // Calculate reachability
+  for (const [name, data] of Object.entries(topology.services)) {
+    for (const [otherName, otherData] of Object.entries(topology.services)) {
+      if (name !== otherName) {
+        const sharedNetworks = data.networks.filter(n => otherData.networks.includes(n));
+        if (sharedNetworks.length > 0) {
+          data.canReach.push(otherName);
+        }
+      }
+    }
+  }
+
+  // Network info
+  for (const [name, config] of Object.entries(networks)) {
+    topology.networks[name] = { internal: config.internal || false };
+  }
+
+  return topology;
+}
+
+export function detectExposedPorts(config) {
+  const findings = [];
+  const services = config.services || {};
+
+  for (const [name, service] of Object.entries(services)) {
+    const ports = service.ports || [];
+
+    for (const portMapping of ports) {
+      const portStr = String(portMapping);
+
+      // Check for database ports exposed
+      if (isDatabase(name, service)) {
+        const containerPort = portStr.split(':').pop();
+        if (DATABASE_PORTS.includes(containerPort)) {
+          findings.push({
+            rule: 'database-port-exposed',
+            severity: 'high',
+            service: name,
+            message: `Database port ${containerPort} exposed externally.`,
+            fix: 'Use "expose" instead of "ports" for internal-only access.',
+          });
+        }
+      }
+
+      // Check for binding to all interfaces
+      if (portStr.startsWith('0.0.0.0:')) {
+        findings.push({
+          rule: 'avoid-bind-all-interfaces',
+          severity: 'medium',
+          service: name,
+          message: `Port binding to 0.0.0.0 (all interfaces).`,
+          fix: 'Bind to 127.0.0.1 for local-only access.',
+        });
+      }
+    }
+  }
+
+  return { findings, score: Math.max(0, 100 - findings.length * 20) };
+}
+
+export function createNetworkValidator(options = {}) {
+  return {
+    validate(config) {
+      const networkResult = validateNetworkConfig(config);
+      const portsResult = detectExposedPorts(config);
+      const topology = analyzeNetworkTopology(config);
+
+      const findings = [...networkResult.findings, ...portsResult.findings];
+      const score = Math.max(0, 100 - findings.length * 10);
+
+      return {
+        findings,
+        score,
+        topology: {
+          nodes: Object.keys(config.services || {}),
+          ...topology,
+        },
+        summary: {
+          total: findings.length,
+          high: findings.filter(f => f.severity === 'high').length,
+          medium: findings.filter(f => f.severity === 'medium').length,
+          low: findings.filter(f => f.severity === 'low').length,
+        },
+      };
+    },
+  };
+}

package/server/lib/security/network-policy.test.js

@@ -0,0 +1,164 @@
+/**
+ * Network Security Policy Tests
+ */
+import { describe, it, expect } from 'vitest';
+import {
+  validateNetworkConfig,
+  analyzeNetworkTopology,
+  detectExposedPorts,
+  createNetworkValidator,
+} from './network-policy.js';
+
+describe('network-policy', () => {
+  describe('validateNetworkConfig', () => {
+    it('detects default bridge network usage', () => {
+      const config = { services: { app: { image: 'node:20' } }, networks: {} };
+      const result = validateNetworkConfig(config);
+      expect(result.findings.some(f => f.rule === 'no-default-bridge')).toBe(true);
+    });
+
+    it('passes with custom networks', () => {
+      const config = {
+        services: { app: { image: 'node:20', networks: ['custom'] } },
+        networks: { custom: {} },
+      };
+      const result = validateNetworkConfig(config);
+      expect(result.findings.some(f => f.rule === 'no-default-bridge')).toBe(false);
+    });
+
+    it('detects database on external network', () => {
+      const config = {
+        services: { db: { image: 'postgres:16', networks: ['public'] } },
+        networks: { public: {} },
+      };
+      const result = validateNetworkConfig(config);
+      expect(result.findings.some(f => f.rule === 'database-internal-only')).toBe(true);
+    });
+
+    it('passes with database on internal network', () => {
+      const config = {
+        services: { db: { image: 'postgres:16', networks: ['backend'] } },
+        networks: { backend: { internal: true } },
+      };
+      const result = validateNetworkConfig(config);
+      expect(result.findings.some(f => f.rule === 'database-internal-only')).toBe(false);
+    });
+
+    it('warns on service with no network isolation', () => {
+      const config = {
+        services: {
+          app: { image: 'node:20', networks: ['shared'] },
+          db: { image: 'postgres:16', networks: ['shared'] },
+          cache: { image: 'redis:7', networks: ['shared'] },
+        },
+        networks: { shared: {} },
+      };
+      const result = validateNetworkConfig(config);
+      expect(result.findings.some(f => f.rule === 'recommend-network-segmentation')).toBe(true);
+    });
+  });
+
+  describe('analyzeNetworkTopology', () => {
+    it('identifies service connectivity', () => {
+      const config = {
+        services: {
+          app: { image: 'node:20', networks: ['frontend', 'backend'] },
+          db: { image: 'postgres:16', networks: ['backend'] },
+        },
+        networks: { frontend: {}, backend: { internal: true } },
+      };
+      const topology = analyzeNetworkTopology(config);
+      expect(topology.services.app.networks).toContain('frontend');
+      expect(topology.services.app.canReach).toContain('db');
+    });
+
+    it('identifies isolated services', () => {
+      const config = {
+        services: {
+          app: { image: 'node:20', networks: ['frontend'] },
+          db: { image: 'postgres:16', networks: ['backend'] },
+        },
+        networks: { frontend: {}, backend: { internal: true } },
+      };
+      const topology = analyzeNetworkTopology(config);
+      expect(topology.services.app.canReach).not.toContain('db');
+    });
+
+    it('identifies external access points', () => {
+      const config = {
+        services: { app: { image: 'node:20', ports: ['3000:3000'], networks: ['public'] } },
+        networks: { public: {} },
+      };
+      const topology = analyzeNetworkTopology(config);
+      expect(topology.externalAccessPoints).toContain('app');
+    });
+  });
+
+  describe('detectExposedPorts', () => {
+    it('detects unnecessarily exposed database ports', () => {
+      const config = {
+        services: { db: { image: 'postgres:16', ports: ['5432:5432'] } },
+        networks: {},
+      };
+      const result = detectExposedPorts(config);
+      expect(result.findings.some(f => f.rule === 'database-port-exposed')).toBe(true);
+    });
+
+    it('passes with internal-only database', () => {
+      const config = {
+        services: { db: { image: 'postgres:16', expose: ['5432'] } },
+        networks: {},
+      };
+      const result = detectExposedPorts(config);
+      expect(result.findings.some(f => f.rule === 'database-port-exposed')).toBe(false);
+    });
+
+    it('warns on binding to 0.0.0.0', () => {
+      const config = {
+        services: { app: { image: 'node:20', ports: ['0.0.0.0:3000:3000'] } },
+        networks: {},
+      };
+      const result = detectExposedPorts(config);
+      expect(result.findings.some(f => f.rule === 'avoid-bind-all-interfaces')).toBe(true);
+    });
+
+    it('passes with localhost binding', () => {
+      const config = {
+        services: { app: { image: 'node:20', ports: ['127.0.0.1:3000:3000'] } },
+        networks: {},
+      };
+      const result = detectExposedPorts(config);
+      expect(result.findings.some(f => f.rule === 'avoid-bind-all-interfaces')).toBe(false);
+    });
+  });
+
+  describe('createNetworkValidator', () => {
+    it('calculates network security score', () => {
+      const validator = createNetworkValidator();
+      const secureConfig = {
+        services: {
+          app: { image: 'node:20', networks: ['frontend', 'backend'] },
+          db: { image: 'postgres:16', networks: ['backend'] },
+        },
+        networks: { frontend: {}, backend: { internal: true } },
+      };
+      const result = validator.validate(secureConfig);
+      expect(result.score).toBeGreaterThanOrEqual(80);
+    });
+
+    it('generates network topology diagram data', () => {
+      const validator = createNetworkValidator();
+      const config = {
+        services: {
+          app: { image: 'node:20', networks: ['web'] },
+          api: { image: 'node:20', networks: ['web', 'data'] },
+          db: { image: 'postgres:16', networks: ['data'] },
+        },
+        networks: { web: {}, data: { internal: true } },
+      };
+      const result = validator.validate(config);
+      expect(result.topology).toBeDefined();
+      expect(result.topology.nodes.length).toBe(3);
+    });
+  });
+});

package/server/lib/security/output-encoder.js

@@ -0,0 +1,237 @@
+/**
+ * Output Encoder Module
+ *
+ * Context-aware output encoding to prevent XSS.
+ * Addresses OWASP A03: Cross-Site Scripting (XSS)
+ */
+
+/**
+ * HTML entity map
+ */
+const HTML_ENTITIES = {
+  '&': '&',
+  '<': '&lt;',
+  '>': '&gt;',
+  '"': '&quot;',
+  "'": '&#x27;',
+  '/': '&#x2F;',
+};
+
+/**
+ * Additional attribute encoding entities
+ */
+const ATTRIBUTE_ENTITIES = {
+  ...HTML_ENTITIES,
+  '=': '&#x3D;',
+  '`': '&#x60;',
+  '(': '&#x28;',
+  ')': '&#x29;',
+};
+
+/**
+ * Encode a string for HTML content context
+ * @param {any} input - The input to encode
+ * @param {Object} options - Encoding options
+ * @returns {string} Encoded string
+ */
+export function encodeHtml(input, options = {}) {
+  const { skipEncoded = false } = options;
+
+  // Handle null/undefined
+  if (input === null || input === undefined) {
+    return '';
+  }
+
+  // Convert to string
+  let str = String(input);
+
+  // Strip null bytes
+  str = str.replace(/\x00/g, '');
+
+  // Skip if already encoded and option is set
+  if (skipEncoded && /&[a-z]+;|&#x?[0-9a-f]+;/i.test(str)) {
+    return str;
+  }
+
+  // Encode HTML entities
+  return str.replace(/[&<>"'\/]/g, (char) => HTML_ENTITIES[char]);
+}
+
+/**
+ * Encode a string for HTML attribute context
+ * @param {string} input - The input to encode
+ * @param {Object} options - Encoding options
+ * @returns {string} Encoded string
+ */
+export function encodeHtmlAttribute(input, options = {}) {
+  const { context = 'default' } = options;
+
+  if (input === null || input === undefined) {
+    return '';
+  }
+
+  let str = String(input);
+
+  // Strip null bytes
+  str = str.replace(/\x00/g, '');
+
+  // For event handler context, be more restrictive
+  if (context === 'event') {
+    str = str.replace(/[&<>"'\/=`()]/g, (char) => ATTRIBUTE_ENTITIES[char] || '');
+  } else {
+    str = str.replace(/[&<>"'\/=`]/g, (char) => ATTRIBUTE_ENTITIES[char]);
+  }
+
+  return str;
+}
+
+/**
+ * Encode a string for JavaScript string context
+ * @param {string} input - The input to encode
+ * @returns {string} Encoded string
+ */
+export function encodeJavaScript(input) {
+  if (input === null || input === undefined) {
+    return '';
+  }
+
+  let str = String(input);
+
+  // Strip null bytes
+  str = str.replace(/\x00/g, '');
+
+  // Escape backslashes first
+  str = str.replace(/\\/g, '\\\\');
+
+  // Escape quotes
+  str = str.replace(/'/g, "\\'");
+  str = str.replace(/"/g, '\\"');
+
+  // Escape newlines
+  str = str.replace(/\n/g, '\\n');
+  str = str.replace(/\r/g, '\\r');
+
+  // Escape forward slashes (prevents </script> breaking out)
+  str = str.replace(/\//g, '\\/');
+
+  // Escape unicode line/paragraph separators
+  str = str.replace(/\u2028/g, '\\u2028');
+  str = str.replace(/\u2029/g, '\\u2029');
+
+  return str;
+}
+
+/**
+ * Encode a string for URL parameter context
+ * @param {string} input - The input to encode
+ * @param {Object} options - Encoding options
+ * @returns {string} Encoded string
+ */
+export function encodeUrl(input, options = {}) {
+  const { preservePath = false } = options;
+
+  if (input === null || input === undefined) {
+    return '';
+  }
+
+  const str = String(input);
+
+  if (preservePath) {
+    // Encode but preserve path separators
+    return str.split('/').map((segment) => encodeURIComponent(segment)).join('/');
+  }
+
+  return encodeURIComponent(str);
+}
+
+/**
+ * Encode a string for CSS context
+ * @param {string} input - The input to encode
+ * @returns {string} Encoded string
+ */
+export function encodeCss(input) {
+  if (input === null || input === undefined) {
+    return '';
+  }
+
+  let str = String(input);
+
+  // Strip null bytes
+  str = str.replace(/\x00/g, '');
+
+  // Block javascript: and expression()
+  if (/javascript\s*:/i.test(str) || /expression\s*\(/i.test(str)) {
+    str = str.replace(/javascript\s*:/gi, '');
+    str = str.replace(/expression\s*\(/gi, '');
+  }
+
+  // Block url() with dangerous protocols
+  str = str.replace(/url\s*\(\s*["']?\s*javascript:/gi, 'url(');
+  str = str.replace(/url\s*\(\s*["']?\s*data:/gi, 'url(');
+
+  // Escape CSS special characters
+  str = str.replace(/\\/g, '\\\\');
+  str = str.replace(/"/g, '\\"');
+  str = str.replace(/'/g, "\\'");
+  str = str.replace(/;/g, '\\;');
+  str = str.replace(/\{/g, '\\{');
+  str = str.replace(/\}/g, '\\}');
+
+  return str;
+}
+
+/**
+ * Encode for a specific context
+ * @param {string} input - The input to encode
+ * @param {string} context - The context (html, javascript, url, css, attribute)
+ * @returns {string} Encoded string
+ */
+export function encodeForContext(input, context) {
+  switch (context.toLowerCase()) {
+    case 'html':
+      return encodeHtml(input);
+    case 'javascript':
+    case 'js':
+      return encodeJavaScript(input);
+    case 'url':
+      return encodeUrl(input);
+    case 'css':
+      return encodeCss(input);
+    case 'attribute':
+    case 'attr':
+      return encodeHtmlAttribute(input);
+    default:
+      throw new Error(`Unknown encoding context: ${context}`);
+  }
+}
+
+/**
+ * Create a chainable encoder
+ * @param {Object} options - Encoder options
+ * @returns {Object} Encoder instance
+ */
+export function createEncoder(options = {}) {
+  const { defaultContext = 'html' } = options;
+
+  return {
+    _value: null,
+    _context: defaultContext,
+
+    encode(input, context) {
+      const ctx = context || this._context;
+      this._value = encodeForContext(input, ctx);
+      return this;
+    },
+
+    then(fn) {
+      if (this._value !== null) {
+        this._value = fn(this._value);
+      }
+      return this;
+    },
+
+    value() {
+      return this._value;
+    },
+  };
+}