6.4 KiB
6.4 KiB
[scan] Security attack vector mapping — Implementation Plan
For Codex agent: this document is the issue body to execute next.
Goal
Map every external input entry point across core/go-scm and produce a complete attack-vector matrix with evidence and validation status.
Scope
- Repository:
core/go-scm - Language: Go
- Branch:
agent/create-an-implementation-plan-for-this-s - Target files: all non-test Go source files
1) Every file to scan
Use this exact list as the scan set.
agentci/clotho.goagentci/config.goagentci/security.gocmd/collect/cmd.gocmd/collect/cmd_bitcointalk.gocmd/collect/cmd_dispatch.gocmd/collect/cmd_excavate.gocmd/collect/cmd_github.gocmd/collect/cmd_market.gocmd/collect/cmd_papers.gocmd/collect/cmd_process.gocmd/forge/cmd_auth.gocmd/forge/cmd_config.gocmd/forge/cmd_forge.gocmd/forge/cmd_issues.gocmd/forge/cmd_labels.gocmd/forge/cmd_migrate.gocmd/forge/cmd_orgs.gocmd/forge/cmd_prs.gocmd/forge/cmd_repos.gocmd/forge/cmd_status.gocmd/forge/cmd_sync.gocmd/forge/helpers.gocmd/gitea/cmd_config.gocmd/gitea/cmd_gitea.gocmd/gitea/cmd_issues.gocmd/gitea/cmd_mirror.gocmd/gitea/cmd_prs.gocmd/gitea/cmd_repos.gocmd/gitea/cmd_sync.gocmd/scm/cmd_compile.gocmd/scm/cmd_export.gocmd/scm/cmd_index.gocmd/scm/cmd_scm.gocollect/bitcointalk.gocollect/collect.gocollect/events.gocollect/excavate.gocollect/github.gocollect/market.gocollect/papers.gocollect/process.gocollect/ratelimit.gocollect/state.goforge/client.goforge/config.goforge/issues.goforge/labels.goforge/meta.goforge/orgs.goforge/prs.goforge/repos.goforge/webhooks.gogit/git.gogit/service.gogitea/client.gogitea/config.gogitea/issues.gogitea/meta.gogitea/repos.gojobrunner/forgejo/signals.gojobrunner/forgejo/source.gojobrunner/handlers/completion.gojobrunner/handlers/dispatch.gojobrunner/handlers/enable_auto_merge.gojobrunner/handlers/publish_draft.gojobrunner/handlers/resolve_threads.gojobrunner/handlers/send_fix_command.gojobrunner/handlers/tick_parent.gojobrunner/journal.gojobrunner/poller.gojobrunner/types.golocales/embed.gomanifest/compile.gomanifest/loader.gomanifest/manifest.gomanifest/sign.gomarketplace/builder.gomarketplace/discovery.gomarketplace/installer.gomarketplace/marketplace.gopkg/api/embed.gopkg/api/provider.goplugin/config.goplugin/installer.goplugin/loader.goplugin/manifest.goplugin/plugin.goplugin/registry.gorepos/gitstate.gorepos/kbconfig.gorepos/registry.gorepos/workconfig.go
2) What to look for in each file
A) External input entry points
- CLI entry arguments and flags
- CLI env-config precedence (
config,FORGE_*,GITEA_*) - HTTP request handlers, webhook payloads, request headers, params, and body
- Filesystem paths and filenames supplied as config/flags/env/user values
- External URLs, repo names, owner/org names, branch names
- SSH command inputs and key material
- Collector source inputs (search terms, query terms, package names, IDs)
- Job signals/labels/checklists/issue fields/command payloads
B) Validation gaps to record
- Missing/weak allowlists for path segments and IDs
- Missing canonicalisation of URLs/paths/refs before use
- Incomplete enum/type validation (state, status, action)
- Unsafe conversions/casts without bounds checks
- Insufficient escaping for shell, file, JSON, or command composition
- Trusting external API responses without schema checks
- Ignoring error paths that should halt processing
C) Injection vectors
- OS command construction
- Path traversal / arbitrary file write/read
- Log forging / token leak via logging
- SSRF via configurable URLs and webhooks
- Template/HTML injection through rendered output paths
- SQL-like or LDAP-like interpolation (where backend uses query strings)
- Git command argument injection and branch/ref injection
- Header injection in HTTP clients/servers
D) Race condition risks
- Shared mutable state in handlers and services
- Journal writes/read/write-back without coordination
- Async polling loops sharing token/counter/state
- Map/slice writes from worker goroutines
- TOCTOU around file presence/load/read-modify-write sequences
- Cache + state refresh races under concurrent polling
3) Required output format for findings
Each finding row must contain all columns in this exact order:
file:line | input source | flows into | validation | attack vector
Example format:
collect/github.go:142 | cmd flag --org (string) | buildGitHubCollector(config) -> net/http request URL | domain allowlist absent | SSRF + data exfil by domain override
Minimal per-row capture fields
file:line(primary function where input first enters)input source(flag/env/body/path/header/id)flows into(target function/call chain)validation(what checks currently exist, if any)attack vector(confidentiality/integrity/availability risk)
Evidence fields (optional but preferred)
- CWE id
- Repro path
- severity (
low/medium/high) - confidence (
high/med/low) - mitigation candidate
4) Where to write the report
Primary report file to produce:
docs/security/scan-attack-vector-mapping-report.md
This file must contain:
- The completed matrix in the required format above
- Deduplicated list of attack vectors with severity
- Verification status (
mapped,validated,open) - A final summary by subsystem and risk priority
This issue body should be replaced with a pointer plus a short runbook:
- "Execution plan in
docs/plans/2026-03-24-security-attack-vector-mapping.md, results indocs/security/scan-attack-vector-mapping-report.md."
Execution order
- 1. Create report file and add header + schema columns
- 2. Scan files in package order listed above
- 3. For each file, capture every external input entry point and map to sinks
- 4. Populate one row per mapped flow in the required
file:line | ...format - 5. Cross-check for duplicates and deduplicate by identical sink and attack vector
- 6. Add severity and validation gap notes per row
- 7. Finalise summary + high-priority follow-up list