Skip to content

Security hardening - prevent command injection, limit SSE connections, harden container#39

Open
keithdealwis-ui wants to merge 1 commit intocalesthio:masterfrom
keithdealwis-ui:security-hardening
Open

Security hardening - prevent command injection, limit SSE connections, harden container#39
keithdealwis-ui wants to merge 1 commit intocalesthio:masterfrom
keithdealwis-ui:security-hardening

Conversation

@keithdealwis-ui
Copy link

@keithdealwis-ui keithdealwis-ui commented Mar 18, 2026

Summary

Three security improvements to harden Crucix against common attack vectors:

  1. Command injection prevention - Validate PORT environment variable
  2. DoS mitigation - Limit concurrent SSE connections
  3. Container security - Fix health check + non-root user

All changes are non-breaking and backward compatible.

1. Command Injection Prevention (crucix.config.mjs)

Issue: PORT env var is passed unsanitized to child_process.exec() when auto-opening browser:

exec(`${openCmd} "http://localhost:${config.port}"`, ...);

Attack vector: Malicious .env file could inject shell commands:

PORT=3117"; rm -rf / #

Fix: Validate PORT is numeric and within safe range (1024-65535) before use.

CWE: CWE-78: OS Command Injection

2. Denial of Service Mitigation (server.mjs)

Issue: /events SSE endpoint has no connection limit:

app.get('/events', (req, res) => {
  sseClients.add(res);  // No limit
});

Attack vector: Attacker opens 10,000+ connections → memory exhaustion → process crash.

Fix: Return HTTP 503 when sseClients.size >= 100.

CWE: CWE-400: Uncontrolled Resource Consumption

3. Container Security (Dockerfile)

Issues:

  • Health check uses wget but node:22-alpine doesn't include it → silent failure
  • Container runs as root → unnecessary privilege escalation risk

Fixes:

  • Install wget via apk add --no-cache wget
  • Create non-root user crucix:1001 and run as that user

CWE: CWE-250: Execution with Unnecessary Privileges

Testing

All changes tested on production deployment:

  • ✅ PORT validation rejects invalid values (tested with non-numeric input)
  • ✅ SSE endpoint returns 503 after 100 connections
  • ✅ Docker health check passes (tested with docker compose up)
  • ✅ Container runs as non-root user (verified with docker exec ... whoami)

Impact

  • Severity: Medium (command injection) + Low (DoS, privilege escalation)
  • Scope: All deployments exposed to untrusted .env files or public internet
  • Breaking changes: None
  • Performance impact: Negligible (single integer comparison per SSE connection)

Happy to address any feedback or concerns.

security: validate PORT, limit SSE connections, fix Dockerfile
1ec4f13 
- Validate PORT env var to prevent command injection via exec()
- Add 100 connection limit to SSE endpoint to prevent DoS
- Install wget in Dockerfile for health checks
- Add non-root user (crucix:1001) to container

Co-Authored-By: Claude Code <[email protected]>
@calesthio
Copy link
Owner

calesthio commented Mar 20, 2026

I haven't been able to get to this yet because work has been busy, but I definitely plan to review it over the weekend.

schergr pushed a commit to schergr/Crucix that referenced this pull request Mar 23, 2026
@claude
Fix HTML entity decoding and broaden OSINT dedup window
b7322f1 
- Replace single &calesthio#39; handler with generic numeric/hex entity decoder
  so &calesthio#39; and other unpadded entities are properly converted
- Dedup urgent OSINT posts against all hot memory runs (last 3 sweeps)
  instead of only the previous sweep, preventing posts that drop out
  of one sweep from reappearing as "new" in the next

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@calesthio calesthio Awaiting requested review from calesthio calesthio is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@keithdealwis-ui @calesthio