senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
veza/docs/archive/ASVS_CHECKLIST_v0.12.6.md
senke 47afb055a2 chore(docs): archive obsolete v0.12.6 security docs 
Move ASVS_CHECKLIST_v0.12.6.md, PENTEST_REPORT_VEZA_v0.12.6.md, and
REMEDIATION_MATRIX_v0.12.6.md to docs/archive/ — all reference a
pentest conducted on v0.12.6 (2026-03), stale relative to the current
v1.0.7 codebase (different security middleware, different payment
flow, different config validation).

Update CLAUDE.md tree listing and AUDIT_REPORT.md §9.1 to reflect the
archive location. Keep docs/SECURITY_SCAN_RC1.md (still current).

Closes AUDIT_REPORT §9.1 obsolete-doc item.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-23 15:32:25 +02:00

249 lines
14 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# OWASP ASVS Level 2 Checklist — VEZA v0.12.6
**Date** : 2026-03-13
**Standard** : OWASP Application Security Verification Standard v4.0.3, Level 2
**Scope** : VEZA monorepo (Go backend, Rust stream server, React frontend)
**Référence** : PENTEST_REPORT_VEZA_v0.12.6.md (36 findings)
---
## Légende
- ✅ PASS — Contrôle vérifié et conforme
- ⚠️ PARTIAL — Contrôle partiellement implémenté (finding associé)
- ❌ FAIL — Contrôle non conforme (finding associé)
- N/A — Non applicable
---
## V1 — Architecture, Design and Threat Modeling
| # | Contrôle | Statut | Notes |
|---|----------|--------|-------|
| V1.1.1 | Application uses a single vetted security architecture | ✅ PASS | Architecture hexagonale, middlewares auth centralisés |
| V1.1.2 | Security controls are applied centrally | ✅ PASS | Auth middleware, rate limit middleware, CORS config centralisée |
| V1.1.3 | Sensitive data is identified and protected | ⚠️ PARTIAL | `json:"-"` sur passwords/tokens, mais popularity metrics leakent — **HIGH-002** |
| V1.1.4 | All application components are defined | ✅ PASS | ORIGIN_MASTER_ARCHITECTURE.md documente tous les composants |
| V1.1.5 | High-value business logic flows defined | ⚠️ PARTIAL | Flows définis mais race conditions dans payout/refund — **CRIT-002, CRIT-003** |
| V1.1.6 | Threat model exists | ⚠️ PARTIAL | ORIGIN_SECURITY_FRAMEWORK.md existe mais pas de threat model formel |
---
## V2 — Authentication
| # | Contrôle | Statut | Notes |
|---|----------|--------|-------|
| V2.1.1 | Password min length ≥ 8 | ✅ PASS | Validation de complexité dans password_service.go |
| V2.1.2 | Password max length ≥ 64 | ✅ PASS | Max 72 bytes (bcrypt limit) enforced |
| V2.1.3 | No password truncation | ✅ PASS | Validation explicite de la longueur avant hachage |
| V2.1.4 | Passwords are stored using approved hashing | ⚠️ PARTIAL | bcrypt utilisé mais cost incohérent (10 vs 12) — **MEDIUM-001** |
| V2.1.5 | Password change requires old password | ✅ PASS | `ChangePassword()` vérifie l'ancien mot de passe |
| V2.1.6 | Password breach checking | ✅ PASS | Password history (5 derniers) vérifié |
| V2.2.1 | Anti-automation controls on auth | ⚠️ PARTIAL | Rate limiting existe mais bypassable via IP spoofing — **HIGH-001** |
| V2.2.2 | Weak authenticator resistance | ✅ PASS | Brute-force protection via rate limiting + account lockout |
| V2.2.3 | Credential recovery resists abuse | ✅ PASS | Password reset tokens limités, expirent |
| V2.3.1 | Session tokens are generated using approved CSPRNG | ✅ PASS | crypto/rand utilisé (19 fichiers) |
| V2.4.1 | MFA available | ✅ PASS | TOTP MFA + recovery codes implémentés |
| V2.5.1 | Tokens not sent as query parameters | ✅ PASS | JWT via cookies HttpOnly |
| V2.5.2 | Token integrity is checked | ✅ PASS | JWT RS256 signature verification |
| V2.5.3 | Stateless tokens include expiry | ✅ PASS | JWT `exp` claim enforced |
| V2.5.4 | JWT algorithm whitelisting | ✅ PASS | RS256 primary, HS256 dev-only fallback |
| V2.7.1 | Passwords are hashed with salt | ✅ PASS | bcrypt inclut le salt automatiquement |
| V2.8.1 | Session management for auth tokens | ⚠️ PARTIAL | Session service avec revocation, mais refresh token TOCTOU — **HIGH-005** |
| V2.9.1 | WebAuthn support | ✅ PASS | WebAuthn credentials stored securely (`json:"-"`) |
---
## V3 — Session Management
| # | Contrôle | Statut | Notes |
|---|----------|--------|-------|
| V3.1.1 | Application never reveals session tokens in URL | ✅ PASS | Cookies HttpOnly uniquement |
| V3.2.1 | Logout invalidates session | ✅ PASS | Token blacklist + session deletion |
| V3.2.2 | Logout invalidates all sessions option | ✅ PASS | "Revoke all sessions" available |
| V3.2.3 | Session timeout after inactivity | ✅ PASS | Token expiration configured |
| V3.3.1 | Session token is changed after login | ✅ PASS | New JWT issued on each login |
| V3.4.1 | Cookie-based tokens have Secure flag | ✅ PASS | Auto-secure in production (cors.go:12-18) |
| V3.4.2 | Cookie-based tokens have HttpOnly flag | ✅ PASS | `CookieHttpOnly: true` |
| V3.4.3 | Cookie-based tokens have SameSite attribute | ⚠️ PARTIAL | SameSite=Lax (Strict préférable) — **LOW-001** |
| V3.4.4 | Cookie-based tokens use __Host- prefix | N/A | Non requis pour Level 2 |
| V3.5.1 | Tokens are validated on every request | ✅ PASS | Auth middleware validates JWT on protected routes |
| V3.7.1 | Admin can revoke user sessions | ✅ PASS | Admin session management available |
---
## V4 — Access Control
| # | Contrôle | Statut | Notes |
|---|----------|--------|-------|
| V4.1.1 | Principle of least privilege | ⚠️ PARTIAL | Roles définis mais mass assignment permet escalation — **HIGH-003** |
| V4.1.2 | Access control applied server-side | ✅ PASS | All auth checks in Go middleware/handlers |
| V4.1.3 | Deny by default | ✅ PASS | Protected routes require explicit auth middleware |
| V4.2.1 | Sensitive data access restricted | ❌ FAIL | Analytics IDOR (pas de ownership check) — **CRIT-004** ; followers_count public — **HIGH-002** |
| V4.2.2 | User can only access own data | ❌ FAIL | Track analytics de n'importe quel créateur accessible — **CRIT-004** |
| V4.3.1 | Admin functions protected | ✅ PASS | `RequireRole("admin")` middleware |
| V4.3.2 | Users cannot access unauthorized admin APIs | ✅ PASS | Role check in middleware before handler |
---
## V5 — Validation, Sanitization and Encoding
| # | Contrôle | Statut | Notes |
|---|----------|--------|-------|
| V5.1.1 | HTTP parameter pollution defense | ✅ PASS | Gin framework handles this natively |
| V5.1.2 | Input validation on all inputs | ⚠️ PARTIAL | Struct binding OK mais file upload marketplace sans validation taille — **MEDIUM-006** |
| V5.1.3 | Output encoding for context | ✅ PASS | React auto-escapes, Go JSON marshaling |
| V5.2.1 | Untrusted HTML sanitized | ✅ PASS | DOMPurify (frontend) + `html.EscapeString` (backend) |
| V5.3.1 | SQL injection prevention | ✅ PASS | Parameterized queries everywhere |
| V5.3.2 | OS command injection prevention | ✅ PASS | `exec.CommandContext` avec arguments séparés |
| V5.3.3 | LDAP injection prevention | N/A | No LDAP used |
| V5.3.4 | XSS prevention | ✅ PASS | React JSX auto-escaping, CSP header |
| V5.3.7 | SSRF prevention | ✅ PASS | No user-controlled URL fetching in backend |
| V5.5.1 | Serialization attacks prevented | ✅ PASS | No deserialization of untrusted data |
---
## V6 — Stored Cryptography
| # | Contrôle | Statut | Notes |
|---|----------|--------|-------|
| V6.1.1 | Regulated data encrypted at rest | ✅ PASS | Passwords bcrypt-hashed, tokens hashed |
| V6.2.1 | Approved cryptographic algorithms | ✅ PASS | bcrypt, RS256, HMAC-SHA512, crypto/rand |
| V6.2.2 | Industry-proven crypto libraries | ✅ PASS | Go stdlib crypto, `golang.org/x/crypto` |
| V6.2.3 | Random values from CSPRNG | ✅ PASS | `crypto/rand` exclusively (not math/rand) |
| V6.2.4 | Key rotation supported | ⚠️ PARTIAL | JWT key rotation documentée mais pas de `kid` header — **INFO-003** |
| V6.3.1 | Secrets not in source code | ⚠️ PARTIAL | `.env.production` uses templates, mais JWT_SECRET hardcodé dans docker-compose — **LOW-006** |
| V6.4.1 | Key management procedures | ✅ PASS | JWT RSA keys loaded from env/files |
---
## V7 — Error Handling and Logging
| # | Contrôle | Statut | Notes |
|---|----------|--------|-------|
| V7.1.1 | Generic error messages to users | ✅ PASS | apierror package with structured errors, no stack traces |
| V7.1.2 | Security-sensitive errors logged | ✅ PASS | Structured JSON logging with zap |
| V7.1.3 | No sensitive data in error responses | ✅ PASS | Error context sanitized |
| V7.2.1 | All auth decisions logged | ✅ PASS | Login success/failure, session revocation logged |
| V7.2.2 | All access control failures logged | ✅ PASS | 401/403 responses logged |
| V7.3.1 | Logs protected from injection | ✅ PASS | Structured logging (zap) prevents log injection |
| V7.4.1 | Sensitive data not logged | ✅ PASS | Passwords, tokens not in log fields |
---
## V8 — Data Protection
| # | Contrôle | Statut | Notes |
|---|----------|--------|-------|
| V8.1.1 | PII identified and classified | ✅ PASS | PRIVACY_POLICY.md §2 lists all data |
| V8.1.2 | Sensitive data in transit encrypted | ✅ PASS | HTTPS/TLS enforced, HSTS header |
| V8.2.1 | Sensitive data not in URL | ✅ PASS | Auth via cookies, not URL params |
| V8.2.2 | HTTP caching headers on sensitive data | ✅ PASS | Cache-Control set on auth responses |
| V8.3.1 | Sensitive data removable on request | ⚠️ PARTIAL | GDPR deletion fonctionne mais données financières non traitées — **HIGH-008** |
| V8.3.2 | Data export available | ✅ PASS | GDPR export endpoint (JSON, 48h) |
| V8.3.4 | Data retention policy defined | ✅ PASS | PRIVACY_POLICY.md §7 — retention table |
---
## V9 — Communication
| # | Contrôle | Statut | Notes |
|---|----------|--------|-------|
| V9.1.1 | TLS for all connections | ⚠️ PARTIAL | HTTPS enforced, HSTS backend, mais nginx frontend manque HSTS — **MEDIUM-009** |
| V9.1.2 | TLS 1.2+ only | ✅ PASS | Go net/http defaults to TLS 1.2+ |
| V9.1.3 | Strong cipher suites | ✅ PASS | Go stdlib uses modern ciphers |
| V9.2.1 | Webhook signature verification | ✅ PASS | HMAC-SHA512 with hmac.Equal() |
---
## V10 — Malicious Code
| # | Contrôle | Statut | Notes |
|---|----------|--------|-------|
| V10.1.1 | No malicious code (backdoors, etc.) | ✅ PASS | No suspicious patterns found |
| V10.2.1 | No time bombs | ✅ PASS | No scheduled destructive operations |
| V10.3.1 | Source code review performed | ✅ PASS | This audit (6 agents spécialisés) |
---
## V11 — Business Logic
| # | Contrôle | Statut | Notes |
|---|----------|--------|-------|
| V11.1.1 | Business logic flow enforced server-side | ❌ FAIL | Race conditions dans payout, refund, promo, trial — **CRIT-002, CRIT-003, HIGH-006, HIGH-010** |
| V11.1.2 | Business logic limits enforced | ⚠️ PARTIAL | Rate limits existent mais pagination unbounded — **MEDIUM-005** |
| V11.1.3 | Anti-automation on business-critical functions | ⚠️ PARTIAL | Rate limiting bypassable via IP spoofing — **HIGH-001** |
| V11.1.4 | Ethical business logic verified | ⚠️ PARTIAL | Track metrics hidden, mais API leaks followers/post likes — **HIGH-002** |
---
## V12 — Files and Resources
| # | Contrôle | Statut | Notes |
|---|----------|--------|-------|
| V12.1.1 | File upload size limits | ⚠️ PARTIAL | Upload validation service OK, mais marketplace upload manque check taille — **MEDIUM-006** |
| V12.1.2 | File type validation | ✅ PASS | `ValidateFile()` checks file types |
| V12.1.3 | File stored outside webroot | ✅ PASS | MinIO/S3 object storage |
| V12.3.1 | User-submitted filenames sanitized | ❌ FAIL | Marketplace upload : path traversal via `filepath.Join`**CRIT-005** |
| V12.4.1 | No path traversal | ❌ FAIL | `filepath.Join(previewDir, file.Filename)` sans sanitization — **CRIT-005** |
---
## V13 — API and Web Service
| # | Contrôle | Statut | Notes |
|---|----------|--------|-------|
| V13.1.1 | All API endpoints require auth or are explicitly public | ⚠️ PARTIAL | Endpoints protégés, mais pprof exposé sans restriction — **MEDIUM-012** |
| V13.1.2 | API uses standard auth mechanisms | ✅ PASS | JWT bearer tokens |
| V13.1.3 | No unnecessary API exposure | ⚠️ PARTIAL | pprof profiling endpoint exposé — **MEDIUM-012** |
| V13.2.1 | Rate limiting on all APIs | ⚠️ PARTIAL | Rate limit bypassable via IP spoofing — **HIGH-001** |
| V13.2.2 | API schema validation | ✅ PASS | Gin binding validation |
| V13.3.1 | Pagination implemented | ⚠️ PARTIAL | Pagination existe mais limit non borné — **MEDIUM-005** |
| V13.4.1 | CORS properly configured | ⚠️ PARTIAL | HTTP origins in .env.production — **MEDIUM-003** ; Nginx RTMP wildcard — **MEDIUM-007** |
---
## V14 — Configuration
| # | Contrôle | Statut | Notes |
|---|----------|--------|-------|
| V14.1.1 | Server configuration hardened | ⚠️ PARTIAL | Security headers backend OK, mais nginx frontend manque HSTS — **MEDIUM-009** |
| V14.2.1 | Dependency integrity | ⚠️ PARTIAL | GitHub Actions not all pinned by SHA — **MEDIUM-002** |
| V14.2.2 | No known vulnerabilities in dependencies | ✅ PASS | Trivy scans in CI, cargo audit, npm audit |
| V14.3.1 | Security headers set | ✅ PASS | HSTS, CSP, COEP, COOP (backend) |
| V14.4.1 | No default credentials | ⚠️ PARTIAL | `.env.production` uses templates, mais JWT_SECRET hardcodé en dev — **LOW-006** |
| V14.5.1 | HTTP security headers | ✅ PASS | X-Content-Type-Options, Referrer-Policy |
---
## Résumé ASVS
| Catégorie | Total | ✅ PASS | ⚠️ PARTIAL | ❌ FAIL | N/A |
|-----------|-------|---------|------------|--------|--------|
| V1 Architecture | 6 | 3 | 3 | 0 | 0 |
| V2 Authentication | 18 | 14 | 4 | 0 | 0 |
| V3 Session Mgmt | 11 | 10 | 1 | 0 | 0 |
| V4 Access Control | 7 | 4 | 1 | 2 | 0 |
| V5 Validation | 10 | 8 | 1 | 0 | 1 |
| V6 Cryptography | 7 | 5 | 2 | 0 | 0 |
| V7 Error Handling | 7 | 7 | 0 | 0 | 0 |
| V8 Data Protection | 7 | 6 | 1 | 0 | 0 |
| V9 Communication | 4 | 3 | 1 | 0 | 0 |
| V10 Malicious Code | 3 | 3 | 0 | 0 | 0 |
| V11 Business Logic | 4 | 0 | 3 | 1 | 0 |
| V12 Files | 5 | 2 | 1 | 2 | 0 |
| V13 API | 7 | 2 | 5 | 0 | 0 |
| V14 Configuration | 6 | 3 | 3 | 0 | 0 |
| **Total** | **102** | **70** | **26** | **5** | **1** |
**Taux de conformité ASVS Level 2** : **70/102 (68.6%)**
- 5 contrôles ❌ FAIL sont associés à des findings CRITICAL (CRIT-002/003/004/005, HIGH-003)
- 26 contrôles ⚠️ PARTIAL sont associés à des findings HIGH/MEDIUM/LOW documentés
- Tous les findings ont des remédiations concrètes dans la REMEDIATION_MATRIX
**Objectif v1.0.0** : Résoudre tous les FAIL et réduire les PARTIAL pour atteindre ≥ 85% conformité.
---
*Checklist ASVS générée le 2026-03-13 — VEZA v0.12.6 — Audit complet (36 findings)*
Reference in a new issue View git blame Copy permalink