lfg2025/archy
1
0
Fork 0
Code Issues 7 Pull Requests Actions Packages Projects Releases 33 Wiki Activity

chore: add pentest verification script and wire into overnight loop

Browse Source 
- scripts/verify-pentest-fixes.sh: 26-check automated verification
  that tests all 21 pentest findings against the live server
- loop/plan.md: add permanent post-fix verification section
- scripts/overnight-loop.sh: accept plan file arg, run verification
  after all fixes complete

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Dorian
2026-03-06 03:50:50 +00:00
parent 6656d2f1d9
commit 5feb4ce799
3 changed files with 192 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
loop/plan.md
View File

@@ -25,3 +25,25 @@ I now have complete visibility into all affected code. Here is the remediation p
- [x] **FIX-021** — fix(INJ-007): sanitize log output in `core/archipelago/src/api/handler.rs` `handle_node_message` (line 136) — replace newlines (`\n`, `\r`) and ANSI escape sequences in `from` and `msg` with safe representations before passing to `tracing::info!`; use `.replace('\n', "\\n").replace('\r', "\\r")`
- [x] **FIX-022** — fix: harden `image-recipe/configs/archipelago.service` — change `User=root` to `User=archipelago` (dedicated non-root service account); set `Environment="ARCHIPELAGO_DEV_MODE=false"`; add `NoNewPrivileges=true`, `ProtectSystem=strict`, `ReadWritePaths=/var/lib/archipelago`; this reduces blast radius for all findings
- [x] **VERIFY** — test: re-run pentest curl probes from the exploitation report against all 21 finding endpoints to confirm: unauthenticated requests return 401, path traversal payloads are rejected, CORS headers are restrictive, security headers are present, WebSocket requires auth, and the service runs as non-root with dev mode disabled
---
## Post-Fix Verification (ALWAYS run as final step)
After all FIX tasks are complete and deployed, run the automated verification script:
```bash
./scripts/verify-pentest-fixes.sh
```
This script tests every pentest finding against the live server:
- Login returns HttpOnly/SameSite session cookie
- All sensitive RPC methods return 401 without auth
- WebSocket, container logs, LND proxy require auth
- Rate limiting triggers on 6th failed login
- Path traversal, untrusted registries, spoofed pubkeys are rejected
- CORS blocks evil origins
- Nginx security headers are present
- Logout invalidates the session
If verification fails (exit code 1), DO NOT mark VERIFY as done. Fix the failing checks and redeploy first.