lfg2025/archy
1
0
Fork 0
Code Issues 7 Pull Requests Actions Packages Projects Releases 33 Wiki Activity

test: enhance automated pentest suite (PENTEST-01)

Browse Source 
Rewrite verify-pentest-fixes.sh and test-security.sh with comprehensive
security tests covering auth bypass, CSRF protection, rate limiting,
input validation (SQL injection, command injection, path traversal),
session fixation, SSRF, container isolation, and session lifecycle.
Both scripts now pass all checks (35/35 and 14/14).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Dorian
2026-03-11 14:15:53 +00:00
parent d15e90c26d
commit daa33d098b
3 changed files with 335 additions and 143 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
loop/plan.md
View File

@@ -364,7 +364,7 @@
#### Sprint 30: Security Penetration Testing (Week 1-4)
- [ ] **PENTEST-01** — Run automated penetration test suite. Execute `scripts/verify-pentest-fixes.sh` and `scripts/test-security.sh`. Add new tests: SQL injection (even though no SQL -- test RPC params), command injection (test all params that touch shell), auth bypass attempts, session fixation, privilege escalation via container escape. **Acceptance**: All pen tests pass.
- [x] **PENTEST-01** — Run automated penetration test suite. Execute `scripts/verify-pentest-fixes.sh` and `scripts/test-security.sh`. Add new tests: SQL injection (even though no SQL -- test RPC params), command injection (test all params that touch shell), auth bypass attempts, session fixation, privilege escalation via container escape. **Acceptance**: All pen tests pass.
- [ ] **PENTEST-02** — Conduct manual security review of all RPC endpoints. Review each of the 80+ RPC endpoints in `core/archipelago/src/api/rpc/mod.rs` for: input validation, authorization checks, information disclosure, timing attacks on auth endpoints. Document findings. **Acceptance**: All endpoints reviewed; critical issues fixed.