summaryrefslogtreecommitdiff
path: root/SECURITY_CHECKLIST.md
diff options
context:
space:
mode:
Diffstat (limited to 'SECURITY_CHECKLIST.md')
-rw-r--r--SECURITY_CHECKLIST.md250
1 files changed, 250 insertions, 0 deletions
diff --git a/SECURITY_CHECKLIST.md b/SECURITY_CHECKLIST.md
new file mode 100644
index 0000000..4e63174
--- /dev/null
+++ b/SECURITY_CHECKLIST.md
@@ -0,0 +1,250 @@
+# Security & Quality Checklist
+
+## Critical Security Issues (Must Fix Before Production)
+
+### Authentication & Authorization
+- [ ] **Timing Attack in AI Auth** (15 min)
+ - File: `internal/middleware/ai_auth.go:31`
+ - Change: Use `crypto/subtle.ConstantTimeCompare()` instead of `!=`
+ - Impact: Prevents token brute-forcing
+
+### Database Security
+- [ ] **SQL Injection in GetNotes()** (15 min)
+ - File: `internal/store/sqlite.go:208`
+ - Change: Use parameterized query for LIMIT clause
+ - Impact: Prevents SQL injection attacks
+
+- [ ] **SQLite Concurrency Configuration** (30 min)
+ - File: `internal/store/sqlite.go:22-30`
+ - Change: Set `MaxOpenConns(1)`, enable WAL mode
+ - Impact: Prevents "database is locked" errors under concurrent load
+
+- [ ] **Database File Permissions** (15 min)
+ - File: `internal/store/sqlite.go:22-24`
+ - Change: Set file to 0600, create dir with 0700
+ - Impact: Prevents unauthorized access to cached data
+
+### Input/Output Security
+- [ ] **Path Traversal in Obsidian** (1 hour)
+ - File: `internal/api/obsidian.go:49-70`
+ - Change: Validate paths stay within vault, skip symlinks
+ - Impact: Prevents arbitrary file read attacks
+
+- [ ] **JSON Injection in Error Responses** (15 min)
+ - File: `internal/middleware/ai_auth.go:42-45`
+ - Change: Use `json.Encoder` instead of string concatenation
+ - Impact: Prevents JSON structure manipulation
+
+### Network Security
+- [ ] **HTTPS Support** (1 hour)
+ - File: `cmd/dashboard/main.go:86-94`
+ - Change: Add TLS configuration and ListenAndServeTLS
+ - Impact: Prevents credential theft via network sniffing
+
+---
+
+## High Priority Issues (Should Fix Soon)
+
+### Concurrency & Performance
+- [ ] **Context Cancellation in Goroutines** (30 min)
+ - File: `internal/handlers/handlers.go:151-207`
+ - Change: Check `ctx.Done()` before locking mutex in each goroutine
+ - Impact: Prevents goroutine leaks and resource exhaustion
+
+- [ ] **Parallelize Trello Card Fetching** (1 hour)
+ - File: `internal/api/trello.go:196-204`
+ - Change: Use goroutines with bounded concurrency for card fetching
+ - Impact: Reduces API call time from N+1 sequential to parallel
+
+- [ ] **Reduce Mutex Contention in aggregateData** (45 min)
+ - File: `internal/handlers/handlers.go:154-205`
+ - Change: Store results locally, lock only for final assignment
+ - Impact: Better parallelism, faster page loads
+
+- [ ] **HTTP Client Connection Pooling** (30 min)
+ - File: `internal/api/*.go` (all clients)
+ - Change: Configure Transport with MaxIdleConns, MaxIdleConnsPerHost
+ - Impact: Prevents port exhaustion and API rate limiting
+
+### Security Hardening
+- [ ] **Rate Limiting on Endpoints** (1 hour)
+ - File: `cmd/dashboard/main.go:67, 73`
+ - Change: Add rate limiting middleware
+ - Impact: Prevents DoS attacks and API quota exhaustion
+
+- [ ] **CSRF Protection** (2 hours)
+ - File: `cmd/dashboard/main.go:67`
+ - Change: Add CSRF middleware for POST endpoints
+ - Impact: Prevents cross-site request forgery (needed for Phase 2)
+
+- [ ] **Sanitize API Keys in Logs** (30 min)
+ - File: `internal/api/*.go` (all clients)
+ - Change: Redact keys/tokens in error messages
+ - Impact: Prevents credential leaks via log files
+
+### Error Handling
+- [ ] **Check JSON Unmarshal Errors** (30 min)
+ - File: `internal/store/sqlite.go:155, 234`
+ - Change: Log errors, provide defaults
+ - Impact: Prevents silent data loss
+
+- [ ] **Sanitize Error Messages** (1 hour)
+ - File: `internal/handlers/handlers.go` (multiple locations)
+ - Change: Return generic errors to users, log details internally
+ - Impact: Prevents information disclosure
+
+---
+
+## Medium Priority Issues (Nice to Have)
+
+### Code Quality
+- [ ] **Database Connection Health Check** (15 min)
+ - File: `internal/store/sqlite.go:22-30`
+ - Change: Add `db.Ping()` after opening connection
+ - Impact: Fail fast on database issues
+
+- [ ] **Null Object Pattern for Optional Clients** (1 hour)
+ - File: `internal/handlers/handlers.go`, `cmd/dashboard/main.go`
+ - Change: Implement null objects instead of nil checks
+ - Impact: Eliminates nil pointer risks
+
+- [ ] **Context Timeouts for Database Operations** (2 hours)
+ - File: `internal/store/sqlite.go` (all methods)
+ - Change: Use `QueryContext`, `ExecContext`, add context parameters
+ - Impact: Prevents indefinite blocking
+
+- [ ] **Validate API Response Data** (2 hours)
+ - File: `internal/api/*.go` (all clients)
+ - Change: Add validation functions for API responses
+ - Impact: Protection against malicious API servers
+
+### Testing
+- [ ] **Add AI Handler Tests** (2 hours)
+ - File: `internal/handlers/ai_handlers_test.go` (new)
+ - Tests: Task categorization, meal grouping, response size
+ - Impact: Better test coverage
+
+- [ ] **Add Middleware Tests** (1 hour)
+ - File: `internal/middleware/ai_auth_test.go` (new)
+ - Tests: Valid/invalid tokens, missing headers
+ - Impact: Better test coverage
+
+- [ ] **Add Edge Case Tests** (2 hours)
+ - Files: Various test files
+ - Tests: Empty responses, malformed JSON, network errors
+ - Impact: More robust error handling
+
+### Security Headers
+- [ ] **Add Security Headers Middleware** (30 min)
+ - File: `cmd/dashboard/main.go`
+ - Change: Add X-Frame-Options, CSP, X-Content-Type-Options, etc.
+ - Impact: Defense in depth
+
+- [ ] **Content Security Policy** (1 hour)
+ - File: `cmd/dashboard/main.go`
+ - Change: Add CSP header with appropriate directives
+ - Impact: XSS protection
+
+### Configuration
+- [ ] **Validate Config at Startup** (30 min)
+ - File: `internal/config/config.go:61-76`
+ - Change: Add token strength validation, file path checks
+ - Impact: Fail fast on misconfiguration
+
+- [ ] **Make HTTP Timeouts Configurable** (30 min)
+ - File: `internal/api/*.go` (all clients)
+ - Change: Add `APITimeoutSeconds` to config
+ - Impact: Flexibility for different environments
+
+---
+
+## Low Priority / Future Enhancements
+
+### Monitoring & Observability
+- [ ] **Structured Logging** (4 hours)
+ - Change: Replace log.Printf with structured logger (zap/zerolog)
+ - Impact: Better log analysis and debugging
+
+- [ ] **Health Check Endpoint** (30 min)
+ - File: `cmd/dashboard/main.go`
+ - Change: Add `/health` endpoint checking DB, API connectivity
+ - Impact: Better monitoring
+
+- [ ] **Metrics Collection** (4 hours)
+ - Change: Add Prometheus metrics for API calls, cache hits, errors
+ - Impact: Performance monitoring
+
+### Code Organization
+- [ ] **Extract Constants** (1 hour)
+ - Files: Various
+ - Change: Move magic numbers to constants
+ - Impact: Better maintainability
+
+- [ ] **Standardize Error Messages** (1 hour)
+ - Files: Various
+ - Change: Consistent capitalization and formatting
+ - Impact: Better UX
+
+### Database
+- [ ] **Database Encryption at Rest** (2 hours)
+ - File: `internal/store/sqlite.go`
+ - Change: Use SQLCipher
+ - Impact: Data protection
+
+- [ ] **Migration Versioning Table** (1 hour)
+ - File: `internal/store/sqlite.go:41-68`
+ - Change: Track which migrations have run
+ - Impact: Better migration management
+
+---
+
+## Estimated Time Summary
+
+| Priority | Count | Estimated Time |
+|----------|-------|----------------|
+| Critical | 6 items | ~4 hours |
+| High | 7 items | ~6.5 hours |
+| Medium | 11 items | ~13.5 hours |
+| Low | 8 items | ~14 hours |
+| **Total** | **32 items** | **~38 hours** |
+
+### Recommended Sprint 1 (Critical + High Priority)
+- **Duration**: 1-2 weeks part-time
+- **Items**: 13 items
+- **Time**: ~10.5 hours
+- **Focus**: Security hardening and performance
+
+### Recommended Sprint 2 (Medium Priority)
+- **Duration**: 1-2 weeks part-time
+- **Items**: 11 items
+- **Time**: ~13.5 hours
+- **Focus**: Code quality and testing
+
+---
+
+## Quick Wins (< 30 minutes each)
+
+These can be done in small chunks:
+
+1. ✓ Timing attack fix (15 min)
+2. ✓ SQL injection fix (15 min)
+3. ✓ JSON injection fix (15 min)
+4. ✓ Database permissions (15 min)
+5. ✓ Health check endpoint (15 min)
+6. ✓ Security headers middleware (30 min)
+7. ✓ Database ping check (15 min)
+8. ✓ Check JSON unmarshal errors (30 min)
+9. ✓ Extract constants (30 min)
+10. ✓ Config validation (30 min)
+
+**Total Quick Wins**: ~4 hours, addresses 10 issues
+
+---
+
+## Notes
+
+- Priority order considers both security impact and implementation effort
+- Times are estimates for an experienced Go developer
+- Some items may reveal additional issues during implementation
+- Testing time not included (add ~30% for comprehensive testing)
+- Code review time not included (add ~20% for peer review)
generated by cgit v1.2.3 (git 2.39.1) at 2026-03-28 12:54:49 +0000