git/metabuilder
1
0
Fork 0
mirror of https://github.com/johndoe6345789/metabuilder.git synced 2026-04-24 13:54:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs: refactoring,packages,quick (18 files)

Browse Source
This commit is contained in:
JohnDoe6345789
2025-12-26 02:32:17 +00:00
parent 235542b6ff
commit c09b660cf8
18 changed files with 15 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@@ -77,7 +77,7 @@ Captured from this machine to document the local development environment:
## Key Highlights
- **5-Level Permission System**: Each user level from Public to SuperGod maps to documented routes, policies, and role inheritance so you can reason about features before touching code ([`docs/architecture/5-level-system.md`](./docs/architecture/5-level-system.md)).
- **6-Level Permission System**: Each user level from Public to SuperGod maps to documented routes, policies, and role inheritance so you can reason about features before touching code ([`docs/architecture/security-docs/5-level-system.md`](./docs/architecture/security-docs/5-level-system.md)).
- **Multi-tenant data platform**: Prisma, tenant-aware storage, and quota management patterns keep all queries scoped by `tenantId` while keeping schema evolution safe ([`docs/architecture/database.md`](./docs/architecture/database.md)).
- **Declarative packages & Lua logic**: Modular `packages/*/seed` definitions let you ship UI/features via JSON/Lua, while the Lua sandbox protects the runtime ([`docs/architecture/packages.md`](./docs/architecture/packages.md), [`docs/lua/README.md`](./docs/lua/README.md)).
- **Type-safe + CI-ready workflow**: TypeScript tooling, Act local workflows, and targeted scripts keep linting, testing, and deploy checks consistent with the documentation hub ([`docs/README.md`](./docs/README.md)).

4
dbal/cpp/CVE_ANALYSIS.md
View File

@@ -1,5 +1,9 @@
# HTTP Server CVE Analysis and Security Improvements
## Migration Note (Drogon)
The custom HTTP server previously implemented in `dbal/cpp/src/daemon/server.cpp` has been replaced with **Drogon** to reduce CVE exposure and avoid bespoke HTTP parsing. The findings below apply to the **legacy server** and are retained for historical reference.
## Executive Summary
This document analyzes the HTTP server implementation in `dbal/cpp/src/daemon/server.cpp` against common CVE patterns from 2020-2024. Multiple vulnerabilities have been identified that match patterns from well-known CVEs affecting production HTTP servers.

31
dbal/cpp/SECURITY_TESTING.md
View File

@@ -2,11 +2,11 @@
## Overview
This document provides instructions for testing the security improvements made to the HTTP server in `dbal/cpp/src/daemon/server.cpp`.
This document provides instructions for testing the HTTP handling in the DBAL daemon now that it uses Drogon in `dbal/cpp/src/daemon/server.cpp`.
## Security Fixes Implemented
The server now protects against the following CVE patterns:
The daemon relies on Drogon's hardened HTTP parser and connection handling, which addresses the CVE patterns previously found in the custom server:
1. **CVE-2024-1135** - Request Smuggling via Multiple Content-Length
2. **CVE-2024-40725** - Request Smuggling via Header Parsing
@@ -41,7 +41,7 @@ The following tests can be run manually using `nc` (netcat):
echo -ne "POST /api/status HTTP/1.1\r\nHost: localhost\r\nContent-Length: 6\r\nContent-Length: 100\r\n\r\n" | nc 127.0.0.1 8080
```
**Expected**: HTTP 400 Bad Request with error message about multiple Content-Length headers
**Expected**: HTTP 400 Bad Request or connection closed by server
#### Test 2: Transfer-Encoding + Content-Length (CVE-2024-23452)
@@ -49,7 +49,7 @@ echo -ne "POST /api/status HTTP/1.1\r\nHost: localhost\r\nContent-Length: 6\r\nC
echo -ne "POST /api/status HTTP/1.1\r\nHost: localhost\r\nTransfer-Encoding: chunked\r\nContent-Length: 100\r\n\r\n" | nc 127.0.0.1 8080
```
**Expected**: HTTP 400 Bad Request (both headers present) or HTTP 501 Not Implemented (Transfer-Encoding)
**Expected**: HTTP 400 Bad Request, HTTP 501 Not Implemented, or connection closed by server
#### Test 3: Integer Overflow in Content-Length
@@ -57,7 +57,7 @@ echo -ne "POST /api/status HTTP/1.1\r\nHost: localhost\r\nTransfer-Encoding: chu
echo -ne "POST /api/status HTTP/1.1\r\nHost: localhost\r\nContent-Length: 9999999999999999999\r\n\r\n" | nc 127.0.0.1 8080
```
**Expected**: HTTP 413 Request Entity Too Large
**Expected**: HTTP 413 Request Entity Too Large or connection closed by server
#### Test 4: Oversized Request
@@ -65,7 +65,7 @@ echo -ne "POST /api/status HTTP/1.1\r\nHost: localhost\r\nContent-Length: 999999
python3 -c "print('GET /' + 'A'*70000 + ' HTTP/1.1\r\nHost: localhost\r\n\r\n')" | nc 127.0.0.1 8080
```
**Expected**: HTTP 413 Request Entity Too Large
**Expected**: HTTP 413 Request Entity Too Large or connection closed by server
#### Test 5: Header Bomb
@@ -79,7 +79,7 @@ python3 -c "print('GET /' + 'A'*70000 + ' HTTP/1.1\r\nHost: localhost\r\n\r\n')"
} | nc 127.0.0.1 8080
```
**Expected**: HTTP 431 Request Header Fields Too Large
**Expected**: HTTP 431 Request Header Fields Too Large or connection closed by server
#### Test 6: Normal Health Check (Should Work)
@@ -91,26 +91,15 @@ echo -ne "GET /health HTTP/1.1\r\nHost: localhost\r\n\r\n" | nc 127.0.0.1 8080
## Security Limits
The following limits are enforced by the server:
```cpp
const size_t MAX_REQUEST_SIZE = 65536; // 64KB max request
const size_t MAX_HEADERS = 100; // Max 100 headers
const size_t MAX_HEADER_SIZE = 8192; // 8KB max per header
const size_t MAX_PATH_LENGTH = 2048; // Max URL path length
const size_t MAX_BODY_SIZE = 10485760; // 10MB max body size
const size_t MAX_CONCURRENT_CONNECTIONS = 1000; // Max concurrent connections
```
These can be adjusted in `server.cpp` if needed for your use case.
Drogon enforces parser-level limits and connection controls. Tune limits in Drogon configuration or via `drogon::app()` settings if your deployment requires stricter caps.
## Error Responses
The server returns appropriate HTTP status codes for security violations:
The server returns appropriate HTTP status codes for security violations, or closes the connection during parsing:
- **400 Bad Request**: Malformed requests, duplicate headers, CRLF injection, null bytes
- **413 Request Entity Too Large**: Request exceeds size limits
- **414 URI Too Long**: Path exceeds MAX_PATH_LENGTH
- **414 URI Too Long**: Path exceeds parser limits
- **431 Request Header Fields Too Large**: Too many headers or header too large
- **501 Not Implemented**: Transfer-Encoding (chunked) not supported

0
docs/packages/admin_dialog.md → docs/packages/package-docs/admin_dialog.md
View File

0
docs/packages/dashboard.md → docs/packages/package-docs/dashboard.md
View File

0
docs/packages/data_table.md → docs/packages/package-docs/data_table.md
View File

0
docs/packages/form_builder.md → docs/packages/package-docs/form_builder.md
View File

0
docs/packages/nav_menu.md → docs/packages/package-docs/nav_menu.md
View File

0
docs/packages/notification_center.md → docs/packages/package-docs/notification_center.md
View File

0
docs/packages/spark-tools.md → docs/packages/package-docs/spark-tools.md
View File

0
docs/refactoring/REFACTORING_CHECKLIST.md → docs/refactoring/guides/REFACTORING_CHECKLIST.md
View File

0
docs/refactoring/REFACTORING_ENFORCEMENT_GUIDE.md → docs/refactoring/guides/REFACTORING_ENFORCEMENT_GUIDE.md
View File

0
docs/refactoring/REFACTORING_QUICK_START.md → docs/refactoring/guides/REFACTORING_QUICK_START.md
View File

0
docs/refactoring/REFACTORING_DIAGRAMS.md → docs/refactoring/reference/REFACTORING_DIAGRAMS.md
View File

0
docs/refactoring/REFACTORING_INDEX.md → docs/refactoring/reference/REFACTORING_INDEX.md
View File

0
docs/refactoring/REFACTORING_QUICK_REFERENCE.md → docs/refactoring/reference/REFACTORING_QUICK_REFERENCE.md
View File

0
docs/refactoring/REFACTORING_STRATEGY.md → docs/refactoring/reference/REFACTORING_STRATEGY.md
View File

0
docs/refactoring/REFACTORING_SUMMARY.md → docs/refactoring/reference/REFACTORING_SUMMARY.md
View File