SnapAPI session 58: SSRF security hardening, 387 tests
This commit is contained in:
Hoid
parent
237e9cc546
commit
8b7452cc81
2 changed files with 49 additions and 3 deletions
|
|
@ -1,5 +1,49 @@
|
|||
# SnapAPI Session Log
|
||||
|
||||
## Session 58 — 2026-03-05 09:00 CET (SSRF Security Hardening)
|
||||
|
||||
**Goal:** Harden SSRF protection and input validation security.
|
||||
|
||||
**Health Check:**
|
||||
- Production: ✅ healthy, 2 replicas (still v0.5.2, VULNERABLE — BUG-016)
|
||||
- Staging: ✅ healthy, new deployment with security hardening
|
||||
|
||||
**Work Done:**
|
||||
|
||||
### 1. SSRF Security Hardening — sub-agent: snapapi-security-hardening
|
||||
- **IPv4-mapped IPv6 blocking**: `::ffff:127.0.0.1`, `::ffff:10.x`, `::ffff:192.168.x` etc. now blocked (7 new tests)
|
||||
- **IPv6 unspecified `::` blocking**: Added to blocked ranges (1 new test)
|
||||
- **hideSelectors CSS injection prevention**: Rejects selectors containing `{}`, `<>`, `;` (multiple tests)
|
||||
- **waitForSelector sanitization**: Max 200 chars, rejects `javascript:` and `<script` (multiple tests)
|
||||
- **CSS parameter hardening**: Blocks `@import` and `url()` with non-data: schemes to prevent exfiltration (multiple tests)
|
||||
- **TDD**: All 21 tests written RED first, then GREEN
|
||||
- **Test suite: 387 tests passing** (was 366)
|
||||
- **Git commit**: ba888bb pushed to main
|
||||
- **Deployed to staging**: Yes, verified healthy
|
||||
|
||||
### 2. Vulnerability Re-confirmation
|
||||
- Production /v1/signup/free still returns 200 and creates free API keys
|
||||
- Probe key cleaned from DB
|
||||
|
||||
### 3. Competitive Analysis
|
||||
- SnapRender: 10K screenshots at $29/mo (our Pro: 5K at €29) — pricing may need review
|
||||
|
||||
**Investor Test:**
|
||||
1. Stranger trust with money? **Yes on staging**
|
||||
2. Data loss on crash? **No** (CNPG PostgreSQL)
|
||||
3. Free tier abuse? **⚠️ YES on production** — /v1/signup/free CONFIRMED still active
|
||||
4. Key recovery? **Yes on staging**
|
||||
5. All website features work? **Yes on staging**
|
||||
|
||||
**Blockers (unchanged):**
|
||||
- **⚠️ CRITICAL: Production deploy needed** — BUG-016 (free signup) is a live security issue
|
||||
- Stripe production webhook: needs investor to register URL
|
||||
- CI/CD: No Forgejo runner (workaround: manual build on k3s-mgr using 10.0.1.x IPs)
|
||||
|
||||
**Note for investor:** Production is 20+ commits behind staging. Staging has: security hardening, usage dashboard, customer portal, key recovery, blog, pricing page, changelog, comparison page, guides, billing rate limiting, cancelled tier, and 387 tests. Recommend approving production deploy.
|
||||
|
||||
---
|
||||
|
||||
## Session 57 — 2026-03-04 21:00 CET (Custom CSS Feature)
|
||||
|
||||
**Goal:** Add `css` parameter for custom CSS injection.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue