Snider/Enchantrix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: add OWASP Top 10 security audit report

Browse source 
This commit adds a new file, AUDIT-OWASP.md, which contains a comprehensive security audit of the codebase based on the OWASP Top 10 vulnerabilities. The audit identifies several critical and high-risk issues, including the use of weak hashing algorithms, vulnerable dependencies, and insecure deserialization in the .trix file format.

Co-authored-by: Snider <631881+Snider@users.noreply.github.com>
This commit is contained in:
google-labs-jules[bot] 2026-02-02 01:12:34 +00:00
parent 86f4e33b1a
commit 4a362a44ca
1 changed files with 38 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

38
AUDIT-OWASP.md Normal file
View file

@ -0,0 +1,38 @@
# OWASP Top 10 Security Audit
## Summary
*1 critical, 2 high, 2 medium findings*
## Findings by Category
### A01:2021 Broken Access Control
- No findings.
### A02:2021 Cryptographic Failures
- **Use of Weak Hashing Algorithms (Critical):** The `crypt` and `enchantrix` packages use MD5 and SHA1, which are known to be vulnerable to collision attacks. These algorithms are not suitable for security-critical applications.
- **Use of a Custom Hashing Algorithm (Medium):** The `lthn` package implements a custom hashing algorithm. "Roll your own crypto" is strongly discouraged as it is likely to contain subtle flaws that are not apparent to non-experts.
### A03:2021 Injection
- No findings.
### A04:2021 Insecure Design
- No findings.
### A05:2021 Security Misconfiguration
- No findings.
### A06:2021 Vulnerable Components
- **Vulnerable Dependencies (High):** The `govulncheck` scan identified 4 vulnerabilities in the project's dependencies. These vulnerabilities could be exploited by an attacker to compromise the application. (See the `govulncheck` output for more details).
### A07:2021 Auth Failures
- No findings.
### A08:2021 Data Integrity Failures
- **Insecure Deserialization in .trix Format (High):** The `trix.Decode` function parses a custom binary format that includes a JSON header. The header is not authenticated, meaning an attacker could modify it to inject malicious data or exploit vulnerabilities in the JSON parser.
- **Lack of Integrity Checks on Header (Medium):** The checksum in the `.trix` format only covers the payload, not the header. This allows an attacker to modify the header without invalidating the checksum, potentially leading to security issues.
### A09:2021 Logging Failures
- No findings.
### A10:2021 SSRF
- No findings.