pentest_report.html gelöscht

.gitea/workflows/delpoy.yml

@@ -5,17 +5,32 @@ on:
     branches:
       - main
 
+env:
+  GIT_HOST: git.jakach.ch
+  GIT_REPO: jakach/jakach-login
+  GIT_BRANCH: main
+
+  APP_NAME: auth
+  APP_DOMAIN: auth.jakach.ch
+  APP_PORT: 447
+
+  SECURITY_SCAN_ENABLED: ${{ vars.SECURITY_SCAN_ENABLED }}
+  CODE_SCAN_ENABLED: ${{ vars.CODE_SCAN_ENABLED }}
+  TRIVY_SEVERITY: HIGH,CRITICAL
+  TRIVY_IMAGE_SCANNERS: vuln
+  TRIVY_VEX: repo
+  TRIVY_FS_SCANNERS: vuln,misconfig,secret
+  SEMGREP_CONFIG: p/default
+
 jobs:
   security_scan:
     runs-on: ubuntu-latest
 
     env:
-      GIT_REPO: jakach/jakach-login
-      GIT_BRANCH: main
       GIT_USER: ${{ vars.GIT_USER }}
       GIT_TOKEN: ${{ secrets.GIT_TOKEN }}
-      SECURITY_SCAN_ENABLED: ${{ vars.SECURITY_SCAN_ENABLED }}
+      TRIVY_REGISTRY_USER: ${{ vars.TRIVY_REGISTRY_USER }}
-      TRIVY_SEVERITY: HIGH,CRITICAL
+      TRIVY_REGISTRY_PASSWORD: ${{ secrets.TRIVY_REGISTRY_PASSWORD }}
 
     steps:
       - name: Scan Docker images for vulnerabilities
@@ -53,7 +68,6 @@ jobs:
             export PATH="$HOME/.local/bin:$PATH"
           fi
 
-          GIT_HOST="${GIT_HOST:-git.jakach.ch}"
           REPO_URL="https://${GIT_USER}:${GIT_TOKEN}@${GIT_HOST}/${GIT_REPO}"
 
           git clone \
@@ -96,6 +110,12 @@ jobs:
             exit 0
           fi
 
+          if [ -n "${TRIVY_REGISTRY_USER:-}" ] || [ -n "${TRIVY_REGISTRY_PASSWORD:-}" ]; then
+            : "${TRIVY_REGISTRY_USER:?TRIVY_REGISTRY_USER is required when TRIVY_REGISTRY_PASSWORD is set}"
+            : "${TRIVY_REGISTRY_PASSWORD:?TRIVY_REGISTRY_PASSWORD is required when TRIVY_REGISTRY_USER is set}"
+            echo "Using registry credentials from TRIVY_REGISTRY_USER/TRIVY_REGISTRY_PASSWORD"
+          fi
+
           TRIVY_IGNORE_ARGS=""
 
           if [ -f cve_blacklist.txt ]; then
@@ -125,20 +145,37 @@ jobs:
             echo ""
             echo "Scanning ${image}"
 
-            if ! trivy \
+            if [ -n "${TRIVY_REGISTRY_USER:-}" ]; then
+              if ! trivy \
+                image \
+                --username "${TRIVY_REGISTRY_USER}" \
+                --password "${TRIVY_REGISTRY_PASSWORD}" \
+                --scanners "${TRIVY_IMAGE_SCANNERS}" \
+                --vex "${TRIVY_VEX}" \
+                --exit-code 1 \
+                --severity "${TRIVY_SEVERITY}" \
+                --ignore-unfixed \
+                ${TRIVY_IGNORE_ARGS} \
+                --no-progress \
+                "${image}"; then
+                failed=1
+              fi
+            elif ! trivy \
               image \
+              --scanners "${TRIVY_IMAGE_SCANNERS}" \
+              --vex "${TRIVY_VEX}" \
               --exit-code 1 \
               --severity "${TRIVY_SEVERITY}" \
               --ignore-unfixed \
               ${TRIVY_IGNORE_ARGS} \
               --no-progress \
               "${image}"; then
-              failed=1
+                failed=1
             fi
           done < images.txt
 
           if [ "$failed" -ne 0 ]; then
-            echo "WARNING: High or critical vulnerabilities were found in one or more Docker images. Deployment stopped."
+            echo "WARNING: One or more Docker image scans failed or found ${TRIVY_SEVERITY} vulnerabilities. Deployment stopped."
             exit 1
           fi
 
@@ -148,11 +185,8 @@ jobs:
     runs-on: ubuntu-latest
 
     env:
-      GIT_REPO: jakach/jakach-login
-      GIT_BRANCH: main
       GIT_USER: ${{ vars.GIT_USER }}
       GIT_TOKEN: ${{ secrets.GIT_TOKEN }}
-      CODE_SCAN_ENABLED: ${{ vars.CODE_SCAN_ENABLED }}
 
     steps:
       - name: Scan source code
@@ -197,7 +231,6 @@ jobs:
             export PATH="$HOME/.local/bin:$PATH"
           fi
 
-          GIT_HOST="${GIT_HOST:-git.jakach.ch}"
           REPO_URL="https://${GIT_USER}:${GIT_TOKEN}@${GIT_HOST}/${GIT_REPO}"
 
           git clone \
@@ -208,14 +241,14 @@ jobs:
           cd source
 
           semgrep scan \
-            --config p/default \
+            --config "${SEMGREP_CONFIG}" \
             --error \
             --metrics=off
 
           trivy fs \
-            --scanners vuln,misconfig,secret \
+            --scanners "${TRIVY_FS_SCANNERS}" \
             --exit-code 1 \
-            --severity HIGH,CRITICAL \
+            --severity "${TRIVY_SEVERITY}" \
             --ignore-unfixed \
             --no-progress \
             .
@@ -226,14 +259,6 @@ jobs:
       - security_scan
       - code_scan
 
-    env:
-      GIT_REPO: jakach/jakach-login
-      GIT_BRANCH: main
-
-      APP_NAME: template
-      APP_DOMAIN: auth.jakach.ch
-      APP_PORT: 447
-
     steps:
       - name: Install dependencies
         run: |
@@ -273,8 +298,6 @@ jobs:
           : "${GIT_USER:?GIT_USER is required}"
           : "${GIT_TOKEN:?GIT_TOKEN is required}"
 
-          GIT_HOST="${GIT_HOST:-git.jakach.ch}"
-
           REPO_NAME="$(basename "$GIT_REPO")"
           APP_DIR="/srv/systems/${REPO_NAME}"
 

README.md

@@ -21,7 +21,11 @@ Using Jakach Login is straightforward:
    ```bash
    docker volume create jakach-login-db-storage
    ```
-4. **Run the system using Docker Compose:**  
+4. **Authenticate to Docker Hardened Images:**  
+   ```bash
+   docker login dhi.io
+   ```
+5. **Run the system using Docker Compose:**  
    ```bash
    docker-compose up
    ```

app-code/api/account/update_passkey.php

@@ -10,6 +10,11 @@ secure_session_start();
 require_same_origin_request();
 require_csrf_token();
 
+function print_json_response($data): void
+{
+    print(htmlentities(json_encode($data, JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT), ENT_NOQUOTES, 'UTF-8'));
+}
+
 // Assuming you've already established a database connection here
 include "../../config/config.php";
 $conn = new mysqli($DB_SERVERNAME, $DB_USERNAME, $DB_PASSWORD,$DB_DATABASE);
@@ -104,7 +109,7 @@ try {
         $createArgs = $WebAuthn->getCreateArgs(\hex2bin($userId), $userName, $userDisplayName, 60*4, $requireResidentKey, $userVerification, $crossPlatformAttachment);
 
         header('Content-Type: application/json');
-        print(json_encode($createArgs));
+        print_json_response($createArgs);
 
         // save challange to session. you have to deliver it to processGet later.
         $_SESSION['challenge'] = $WebAuthn->getChallenge();
@@ -138,7 +143,7 @@ try {
         $getArgs = $WebAuthn->getGetArgs($ids, 60*4, $typeUsb, $typeNfc, $typeBle, $typeHyb, $typeInt, $userVerification);
 
         header('Content-Type: application/json');
-        print(json_encode($getArgs));
+        print_json_response($getArgs);
 
         // save challange to session. you have to deliver it to processGet later.
         $_SESSION['challenge'] = $WebAuthn->getChallenge();

app-code/api/login/check_passkey.php

@@ -7,6 +7,12 @@ include "../utils/security.php";
 secure_session_start();
 require_same_origin_request();
 require_csrf_token();
+
+function print_json_response($data): void
+{
+    print(htmlentities(json_encode($data, JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT), ENT_NOQUOTES, 'UTF-8'));
+}
+
 include "../../config/config.php";
 $conn = new mysqli($DB_SERVERNAME, $DB_USERNAME, $DB_PASSWORD,$DB_DATABASE);
 if ($conn->connect_error) {
@@ -90,7 +96,7 @@ try {
         // Get create arguments
         $createArgs = $WebAuthn->getCreateArgs(\hex2bin($userId), $userName, $userDisplayName, 60*4, $requireResidentKey, $userVerification);
         header('Content-Type: application/json');
-        print(json_encode($createArgs));
+        print_json_response($createArgs);
 
         // Save challenge to session or somewhere else if needed
     } else if ($fn === 'getGetArgs') {
@@ -120,7 +126,7 @@ try {
         $getArgs = $WebAuthn->getGetArgs($ids, 60*4, $typeUsb, $typeNfc, $typeBle, $typeHyb, $typeInt, $userVerification);
 
         header('Content-Type: application/json');
-        print(json_encode($getArgs));
+        print_json_response($getArgs);
 
         // save challange to session. you have to deliver it to processGet later.
         $_SESSION['challenge'] = $WebAuthn->getChallenge();

app-code/api/manage/fetch_users.php

@@ -16,21 +16,32 @@ if ($conn->connect_error) {
 }
 
 $search = trim($_GET['search'] ?? '');
-$sort = $_GET['sort'] ?? 'id';
+$sort = $_GET['sort'] ?? '';
 $order = strtoupper($_GET['order'] ?? 'ASC') === 'DESC' ? 'DESC' : 'ASC';
 
-$allowedSorts = ['id', 'username'];
-if (!in_array($sort, $allowedSorts)) {
-    $sort = 'id';
-}
-
 if ($search !== '') {
-    $query = "SELECT id, username FROM users WHERE username LIKE ? ORDER BY $sort $order";
+    if ($sort === 'username') {
+        $query = $order === 'DESC'
+            ? "SELECT id, username FROM users WHERE username LIKE ? ORDER BY username DESC"
+            : "SELECT id, username FROM users WHERE username LIKE ? ORDER BY username ASC";
+    } else {
+        $query = $order === 'DESC'
+            ? "SELECT id, username FROM users WHERE username LIKE ? ORDER BY id DESC"
+            : "SELECT id, username FROM users WHERE username LIKE ? ORDER BY id ASC";
+    }
     $stmt = $conn->prepare($query);
     $like = '%' . $search . '%';
     $stmt->bind_param('s', $like);
 } else {
-    $query = "SELECT id, username FROM users ORDER BY $sort $order";
+    if ($sort === 'username') {
+        $query = $order === 'DESC'
+            ? "SELECT id, username FROM users ORDER BY username DESC"
+            : "SELECT id, username FROM users ORDER BY username ASC";
+    } else {
+        $query = $order === 'DESC'
+            ? "SELECT id, username FROM users ORDER BY id DESC"
+            : "SELECT id, username FROM users ORDER BY id ASC";
+    }
     $stmt = $conn->prepare($query);
 }
 

docker-compose.yml

@@ -1,10 +1,10 @@
 services:
   jakach-login-db:
-    image: mariadb:10.6.25
+    image: dhi.io/mariadb:12
     container_name: jakach-login-db
     restart: unless-stopped
     environment:
-      MYSQL_ROOT_PASSWORD: 1234
+      MARIADB_ROOT_PASSWORD: 1234
     networks:
       jakach-login-network:
         ipv4_address: 192.168.5.2