Merge PR #33: jules/audit-OWASP-Top-10-security-review-1721949437-1328739310953406578

AUDIT-OWASP.md

@@ -0,0 +1,18 @@
+# OWASP Top 10 Security Audit
+
+## Summary
+0 critical, 2 high, 1 medium findings
+
+## Findings by Category
+
+### A06: Vulnerable and Outdated Components (High)
+- **Finding:** The `govulncheck` tool identified 13 vulnerabilities in the Go standard library, stemming from an outdated Go version.
+- **Remediation:** It is recommended to upgrade the project's Go version to the latest stable release to mitigate these vulnerabilities.
+
+### A10: Server-Side Request Forgery (SSRF) (High)
+- **Finding:** The `RDAPLookupDomainWithTimeout`, `RDAPLookupIPWithTimeout`, and `RDAPLookupASNWithTimeout` functions constructed request URLs by directly embedding user-provided inputs. This could have allowed a malicious actor to craft inputs that would cause the server to make requests to internal resources.
+- **Remediation:** All user-provided inputs (`domain`, `ip`, and `asn`) are now sanitized using `url.PathEscape()` before being included in the request URL, preventing path traversal and other SSRF-style attacks.
+
+### A03: Injection (Medium)
+- **Finding:** The `DNSLookup...` functions did not sanitize the `domain` parameter, which could have led to unexpected behavior if special characters were provided as input.
+- **Remediation:** The `domain` parameter is now validated using a regular expression to ensure it conforms to a valid domain name format, mitigating the risk of injection attacks.

dns_tools.go

@@ -8,6 +8,7 @@ import (
 	"net"
 	"net/http"
 	"net/url"
+	"regexp"
 	"sort"
 	"strings"
 	"time"
@@ -259,6 +260,14 @@ func DNSLookup(domain string, recordType DNSRecordType) DNSLookupResult {
 	return DNSLookupWithTimeout(domain, recordType, 10*time.Second)
 }
 
+// isValidDomain validates the domain name against a simple regex to prevent injection
+func isValidDomain(domain string) bool {
+	// A simple regex to match valid domain name characters.
+	// This is not a full validation, but it prevents common injection attacks.
+	match, _ := regexp.MatchString(`^([a-zA-Z0-9_]{1}[a-zA-Z0-9_-]{0,62}){1}(\.[a-zA-Z0-9_]{1}[a-zA-Z0-9_-]{0,62})*[\._]?$`, domain)
+	return match
+}
+
 // DNSLookupWithTimeout performs a DNS lookup with a custom timeout
 func DNSLookupWithTimeout(domain string, recordType DNSRecordType, timeout time.Duration) DNSLookupResult {
 	start := time.Now()
@@ -268,6 +277,12 @@ func DNSLookupWithTimeout(domain string, recordType DNSRecordType, timeout time.
 		Timestamp: start,
 	}
 
+	if !isValidDomain(domain) {
+		result.Error = "invalid domain format"
+		result.LookupTimeMs = time.Since(start).Milliseconds()
+		return result
+	}
+
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 
@@ -651,9 +666,9 @@ func RDAPLookupDomainWithTimeout(domain string, timeout time.Duration) RDAPRespo
 	serverURL, ok := rdapServers[tld]
 	if !ok {
 		// Try to use IANA bootstrap
-		serverURL = fmt.Sprintf("https://rdap.org/domain/%s", domain)
+		serverURL = fmt.Sprintf("https://rdap.org/domain/%s", url.PathEscape(domain))
 	} else {
-		serverURL = serverURL + "domain/" + domain
+		serverURL = serverURL + "domain/" + url.PathEscape(domain)
 	}
 
 	client := &http.Client{Timeout: timeout}
@@ -709,7 +724,7 @@ func RDAPLookupIPWithTimeout(ip string, timeout time.Duration) RDAPResponse {
 	}
 
 	// Use rdap.org as a universal redirector
-	serverURL := fmt.Sprintf("https://rdap.org/ip/%s", ip)
+	serverURL := fmt.Sprintf("https://rdap.org/ip/%s", url.PathEscape(ip))
 
 	client := &http.Client{Timeout: timeout}
 	resp, err := client.Get(serverURL)
@@ -760,7 +775,7 @@ func RDAPLookupASNWithTimeout(asn string, timeout time.Duration) RDAPResponse {
 	asnNum := strings.TrimPrefix(strings.ToUpper(asn), "AS")
 
 	// Use rdap.org as a universal redirector
-	serverURL := fmt.Sprintf("https://rdap.org/autnum/%s", asnNum)
+	serverURL := fmt.Sprintf("https://rdap.org/autnum/%s", url.PathEscape(asnNum))
 
 	client := &http.Client{Timeout: timeout}
 	resp, err := client.Get(serverURL)