From c09b660cf87fd590c5c8774bcc8ea41709b41a1b Mon Sep 17 00:00:00 2001 From: JohnDoe6345789 Date: Fri, 26 Dec 2025 02:32:17 +0000 Subject: [PATCH] docs: refactoring,packages,quick (18 files) --- README.md | 2 +- dbal/cpp/CVE_ANALYSIS.md | 4 +++ dbal/cpp/SECURITY_TESTING.md | 31 ++++++------------- .../{ => package-docs}/admin_dialog.md | 0 docs/packages/{ => package-docs}/dashboard.md | 0 .../packages/{ => package-docs}/data_table.md | 0 .../{ => package-docs}/form_builder.md | 0 docs/packages/{ => package-docs}/nav_menu.md | 0 .../{ => package-docs}/notification_center.md | 0 .../{ => package-docs}/spark-tools.md | 0 .../{ => guides}/REFACTORING_CHECKLIST.md | 0 .../REFACTORING_ENFORCEMENT_GUIDE.md | 0 .../{ => guides}/REFACTORING_QUICK_START.md | 0 .../{ => reference}/REFACTORING_DIAGRAMS.md | 0 .../{ => reference}/REFACTORING_INDEX.md | 0 .../REFACTORING_QUICK_REFERENCE.md | 0 .../{ => reference}/REFACTORING_STRATEGY.md | 0 .../{ => reference}/REFACTORING_SUMMARY.md | 0 18 files changed, 15 insertions(+), 22 deletions(-) rename docs/packages/{ => package-docs}/admin_dialog.md (100%) rename docs/packages/{ => package-docs}/dashboard.md (100%) rename docs/packages/{ => package-docs}/data_table.md (100%) rename docs/packages/{ => package-docs}/form_builder.md (100%) rename docs/packages/{ => package-docs}/nav_menu.md (100%) rename docs/packages/{ => package-docs}/notification_center.md (100%) rename docs/packages/{ => package-docs}/spark-tools.md (100%) rename docs/refactoring/{ => guides}/REFACTORING_CHECKLIST.md (100%) rename docs/refactoring/{ => guides}/REFACTORING_ENFORCEMENT_GUIDE.md (100%) rename docs/refactoring/{ => guides}/REFACTORING_QUICK_START.md (100%) rename docs/refactoring/{ => reference}/REFACTORING_DIAGRAMS.md (100%) rename docs/refactoring/{ => reference}/REFACTORING_INDEX.md (100%) rename docs/refactoring/{ => reference}/REFACTORING_QUICK_REFERENCE.md (100%) rename docs/refactoring/{ => reference}/REFACTORING_STRATEGY.md (100%) rename docs/refactoring/{ => reference}/REFACTORING_SUMMARY.md (100%) diff --git a/README.md b/README.md index 79aef8500..dd97538fd 100644 --- a/README.md +++ b/README.md @@ -77,7 +77,7 @@ Captured from this machine to document the local development environment: ## Key Highlights -- **5-Level Permission System**: Each user level from Public to SuperGod maps to documented routes, policies, and role inheritance so you can reason about features before touching code ([`docs/architecture/5-level-system.md`](./docs/architecture/5-level-system.md)). +- **6-Level Permission System**: Each user level from Public to SuperGod maps to documented routes, policies, and role inheritance so you can reason about features before touching code ([`docs/architecture/security-docs/5-level-system.md`](./docs/architecture/security-docs/5-level-system.md)). - **Multi-tenant data platform**: Prisma, tenant-aware storage, and quota management patterns keep all queries scoped by `tenantId` while keeping schema evolution safe ([`docs/architecture/database.md`](./docs/architecture/database.md)). - **Declarative packages & Lua logic**: Modular `packages/*/seed` definitions let you ship UI/features via JSON/Lua, while the Lua sandbox protects the runtime ([`docs/architecture/packages.md`](./docs/architecture/packages.md), [`docs/lua/README.md`](./docs/lua/README.md)). - **Type-safe + CI-ready workflow**: TypeScript tooling, Act local workflows, and targeted scripts keep linting, testing, and deploy checks consistent with the documentation hub ([`docs/README.md`](./docs/README.md)). diff --git a/dbal/cpp/CVE_ANALYSIS.md b/dbal/cpp/CVE_ANALYSIS.md index 7f141a2df..b4e5bc7e2 100644 --- a/dbal/cpp/CVE_ANALYSIS.md +++ b/dbal/cpp/CVE_ANALYSIS.md @@ -1,5 +1,9 @@ # HTTP Server CVE Analysis and Security Improvements +## Migration Note (Drogon) + +The custom HTTP server previously implemented in `dbal/cpp/src/daemon/server.cpp` has been replaced with **Drogon** to reduce CVE exposure and avoid bespoke HTTP parsing. The findings below apply to the **legacy server** and are retained for historical reference. + ## Executive Summary This document analyzes the HTTP server implementation in `dbal/cpp/src/daemon/server.cpp` against common CVE patterns from 2020-2024. Multiple vulnerabilities have been identified that match patterns from well-known CVEs affecting production HTTP servers. diff --git a/dbal/cpp/SECURITY_TESTING.md b/dbal/cpp/SECURITY_TESTING.md index 367903a1d..28a169441 100644 --- a/dbal/cpp/SECURITY_TESTING.md +++ b/dbal/cpp/SECURITY_TESTING.md @@ -2,11 +2,11 @@ ## Overview -This document provides instructions for testing the security improvements made to the HTTP server in `dbal/cpp/src/daemon/server.cpp`. +This document provides instructions for testing the HTTP handling in the DBAL daemon now that it uses Drogon in `dbal/cpp/src/daemon/server.cpp`. ## Security Fixes Implemented -The server now protects against the following CVE patterns: +The daemon relies on Drogon's hardened HTTP parser and connection handling, which addresses the CVE patterns previously found in the custom server: 1. **CVE-2024-1135** - Request Smuggling via Multiple Content-Length 2. **CVE-2024-40725** - Request Smuggling via Header Parsing @@ -41,7 +41,7 @@ The following tests can be run manually using `nc` (netcat): echo -ne "POST /api/status HTTP/1.1\r\nHost: localhost\r\nContent-Length: 6\r\nContent-Length: 100\r\n\r\n" | nc 127.0.0.1 8080 ``` -**Expected**: HTTP 400 Bad Request with error message about multiple Content-Length headers +**Expected**: HTTP 400 Bad Request or connection closed by server #### Test 2: Transfer-Encoding + Content-Length (CVE-2024-23452) @@ -49,7 +49,7 @@ echo -ne "POST /api/status HTTP/1.1\r\nHost: localhost\r\nContent-Length: 6\r\nC echo -ne "POST /api/status HTTP/1.1\r\nHost: localhost\r\nTransfer-Encoding: chunked\r\nContent-Length: 100\r\n\r\n" | nc 127.0.0.1 8080 ``` -**Expected**: HTTP 400 Bad Request (both headers present) or HTTP 501 Not Implemented (Transfer-Encoding) +**Expected**: HTTP 400 Bad Request, HTTP 501 Not Implemented, or connection closed by server #### Test 3: Integer Overflow in Content-Length @@ -57,7 +57,7 @@ echo -ne "POST /api/status HTTP/1.1\r\nHost: localhost\r\nTransfer-Encoding: chu echo -ne "POST /api/status HTTP/1.1\r\nHost: localhost\r\nContent-Length: 9999999999999999999\r\n\r\n" | nc 127.0.0.1 8080 ``` -**Expected**: HTTP 413 Request Entity Too Large +**Expected**: HTTP 413 Request Entity Too Large or connection closed by server #### Test 4: Oversized Request @@ -65,7 +65,7 @@ echo -ne "POST /api/status HTTP/1.1\r\nHost: localhost\r\nContent-Length: 999999 python3 -c "print('GET /' + 'A'*70000 + ' HTTP/1.1\r\nHost: localhost\r\n\r\n')" | nc 127.0.0.1 8080 ``` -**Expected**: HTTP 413 Request Entity Too Large +**Expected**: HTTP 413 Request Entity Too Large or connection closed by server #### Test 5: Header Bomb @@ -79,7 +79,7 @@ python3 -c "print('GET /' + 'A'*70000 + ' HTTP/1.1\r\nHost: localhost\r\n\r\n')" } | nc 127.0.0.1 8080 ``` -**Expected**: HTTP 431 Request Header Fields Too Large +**Expected**: HTTP 431 Request Header Fields Too Large or connection closed by server #### Test 6: Normal Health Check (Should Work) @@ -91,26 +91,15 @@ echo -ne "GET /health HTTP/1.1\r\nHost: localhost\r\n\r\n" | nc 127.0.0.1 8080 ## Security Limits -The following limits are enforced by the server: - -```cpp -const size_t MAX_REQUEST_SIZE = 65536; // 64KB max request -const size_t MAX_HEADERS = 100; // Max 100 headers -const size_t MAX_HEADER_SIZE = 8192; // 8KB max per header -const size_t MAX_PATH_LENGTH = 2048; // Max URL path length -const size_t MAX_BODY_SIZE = 10485760; // 10MB max body size -const size_t MAX_CONCURRENT_CONNECTIONS = 1000; // Max concurrent connections -``` - -These can be adjusted in `server.cpp` if needed for your use case. +Drogon enforces parser-level limits and connection controls. Tune limits in Drogon configuration or via `drogon::app()` settings if your deployment requires stricter caps. ## Error Responses -The server returns appropriate HTTP status codes for security violations: +The server returns appropriate HTTP status codes for security violations, or closes the connection during parsing: - **400 Bad Request**: Malformed requests, duplicate headers, CRLF injection, null bytes - **413 Request Entity Too Large**: Request exceeds size limits -- **414 URI Too Long**: Path exceeds MAX_PATH_LENGTH +- **414 URI Too Long**: Path exceeds parser limits - **431 Request Header Fields Too Large**: Too many headers or header too large - **501 Not Implemented**: Transfer-Encoding (chunked) not supported diff --git a/docs/packages/admin_dialog.md b/docs/packages/package-docs/admin_dialog.md similarity index 100% rename from docs/packages/admin_dialog.md rename to docs/packages/package-docs/admin_dialog.md diff --git a/docs/packages/dashboard.md b/docs/packages/package-docs/dashboard.md similarity index 100% rename from docs/packages/dashboard.md rename to docs/packages/package-docs/dashboard.md diff --git a/docs/packages/data_table.md b/docs/packages/package-docs/data_table.md similarity index 100% rename from docs/packages/data_table.md rename to docs/packages/package-docs/data_table.md diff --git a/docs/packages/form_builder.md b/docs/packages/package-docs/form_builder.md similarity index 100% rename from docs/packages/form_builder.md rename to docs/packages/package-docs/form_builder.md diff --git a/docs/packages/nav_menu.md b/docs/packages/package-docs/nav_menu.md similarity index 100% rename from docs/packages/nav_menu.md rename to docs/packages/package-docs/nav_menu.md diff --git a/docs/packages/notification_center.md b/docs/packages/package-docs/notification_center.md similarity index 100% rename from docs/packages/notification_center.md rename to docs/packages/package-docs/notification_center.md diff --git a/docs/packages/spark-tools.md b/docs/packages/package-docs/spark-tools.md similarity index 100% rename from docs/packages/spark-tools.md rename to docs/packages/package-docs/spark-tools.md diff --git a/docs/refactoring/REFACTORING_CHECKLIST.md b/docs/refactoring/guides/REFACTORING_CHECKLIST.md similarity index 100% rename from docs/refactoring/REFACTORING_CHECKLIST.md rename to docs/refactoring/guides/REFACTORING_CHECKLIST.md diff --git a/docs/refactoring/REFACTORING_ENFORCEMENT_GUIDE.md b/docs/refactoring/guides/REFACTORING_ENFORCEMENT_GUIDE.md similarity index 100% rename from docs/refactoring/REFACTORING_ENFORCEMENT_GUIDE.md rename to docs/refactoring/guides/REFACTORING_ENFORCEMENT_GUIDE.md diff --git a/docs/refactoring/REFACTORING_QUICK_START.md b/docs/refactoring/guides/REFACTORING_QUICK_START.md similarity index 100% rename from docs/refactoring/REFACTORING_QUICK_START.md rename to docs/refactoring/guides/REFACTORING_QUICK_START.md diff --git a/docs/refactoring/REFACTORING_DIAGRAMS.md b/docs/refactoring/reference/REFACTORING_DIAGRAMS.md similarity index 100% rename from docs/refactoring/REFACTORING_DIAGRAMS.md rename to docs/refactoring/reference/REFACTORING_DIAGRAMS.md diff --git a/docs/refactoring/REFACTORING_INDEX.md b/docs/refactoring/reference/REFACTORING_INDEX.md similarity index 100% rename from docs/refactoring/REFACTORING_INDEX.md rename to docs/refactoring/reference/REFACTORING_INDEX.md diff --git a/docs/refactoring/REFACTORING_QUICK_REFERENCE.md b/docs/refactoring/reference/REFACTORING_QUICK_REFERENCE.md similarity index 100% rename from docs/refactoring/REFACTORING_QUICK_REFERENCE.md rename to docs/refactoring/reference/REFACTORING_QUICK_REFERENCE.md diff --git a/docs/refactoring/REFACTORING_STRATEGY.md b/docs/refactoring/reference/REFACTORING_STRATEGY.md similarity index 100% rename from docs/refactoring/REFACTORING_STRATEGY.md rename to docs/refactoring/reference/REFACTORING_STRATEGY.md diff --git a/docs/refactoring/REFACTORING_SUMMARY.md b/docs/refactoring/reference/REFACTORING_SUMMARY.md similarity index 100% rename from docs/refactoring/REFACTORING_SUMMARY.md rename to docs/refactoring/reference/REFACTORING_SUMMARY.md