Merge pull request #44 from metaschema-framework/hotfix/latest

document security improvement in oscal
metaschema-framework · Dec 13, 2024 · 95178d4 · 95178d4
2 parents 6363f60 + 53f8ac0
commit 95178d4
Show file tree

Hide file tree

Showing 12 changed files with 2,078 additions and 82 deletions.
diff --git a/.idea/workspace.xml b/.idea/workspace.xml
diff --git a/.oscal/attachments/diagrams/authorization-boundary.mermaid b/.oscal/attachments/diagrams/authorization-boundary.mermaid
@@ -0,0 +1,61 @@
+flowchart TD
+    subgraph External["External Boundary"]
+        Client[Web Client]
+    end
+
+    subgraph AuthBoundary["Authorization Boundary"]
+        direction TB
+
+        subgraph ServerControls["Server Security Controls"]
+            LocalHost["Localhost Only\nPort 8888"]
+            Router["Router/API Gateway\nInput Validation"]
+        end
+
+        subgraph FileSystemControls["Filesystem Security Controls"]
+            DirVal["Directory Validation"]
+            PathCheck["Path Traversal Check"]
+            UrlProcess["URL Processing\nHTTPS/File Only"]
+            PermCheck["Permission Checks"]
+        end
+
+        subgraph TrustedZone["Trusted Zone"]
+            OscalDir["~/.oscal Directory\nOwner RWX Only"]
+            AllowedDirs["Allowed Directories\nvia OSCAL_SERVER_PATH"]
+            TempFiles["Temporary Files\nRestricted Access"]
+        end
+
+        subgraph Validation["Security Validation"]
+            ValidateDir["validateDirectory()"]
+            RestrictPerms["restrictDirectoryPermissions()"]
+            SymlinkCheck["Symlink Validation"]
+        end
+    end
+
+    Client -->|HTTP Requests| LocalHost
+    LocalHost -->|Validated Requests| Router
+
+    Router -->|File Operations| FileSystemControls
+
+    FileSystemControls -->|Access Check| DirVal
+    FileSystemControls -->|Traversal Prevention| PathCheck
+    FileSystemControls -->|URL Validation| UrlProcess
+    FileSystemControls -->|Permission Validation| PermCheck
+
+    DirVal -->|Validated Access| TrustedZone
+    PathCheck -->|Safe Paths| TrustedZone
+    UrlProcess -->|Safe URLs| TrustedZone
+    PermCheck -->|Verified Permissions| TrustedZone
+
+    TrustedZone <-->|Security Checks| Validation
+
+    classDef external fill:#ddd,stroke:#999,stroke-width:1px;
+    classDef boundary fill:#f9f,stroke:#333,stroke-width:2px;
+    classDef controls fill:#aef,stroke:#333,stroke-width:1px;
+    classDef trusted fill:#bfb,stroke:#333,stroke-width:1px;
+    classDef validation fill:#feb,stroke:#333,stroke-width:1px;
+
+    class External external;
+    class AuthBoundary boundary;
+    class ServerControls,FileSystemControls controls;
+    class TrustedZone trusted;
+    class Validation validation;
diff --git a/.oscal/attachments/diagrams/authorization-boundary.svg b/.oscal/attachments/diagrams/authorization-boundary.svg
diff --git a/.oscal/attachments/diagrams/network-diagram.mermaid b/.oscal/attachments/diagrams/network-diagram.mermaid
@@ -0,0 +1,40 @@
+graph TD
+    Client[Web Client]
+    Router[Router/API Gateway]
+    VertxServer[Vertx HTTP Server\nPort 8888\nLocalhost Only]
+    FileSystem[Local File System]
+    OscalCLI[OSCAL CLI]
+    HomeDir[User Home Directory]
+    TempFiles[Temporary Files]
+
+    subgraph "OSCAL Server"
+        Router --> |Route Requests| Operations
+
+        subgraph "Operations"
+            Validate[Validate]
+            Convert[Convert]
+            Resolve[Resolve Profile]
+            Query[Query/MetaPath]
+            Health[Health Check]
+        end
+
+        subgraph "Storage"
+            FileSystem --> |Read/Write| HomeDir
+            HomeDir --> |Contains| OscalDir[~/.oscal Directory]
+            FileSystem --> |Create/Delete| TempFiles
+        end
+    end
+
+    Client -->|HTTP Requests\nGET/POST| VertxServer
+    VertxServer --> |Forward| Router
+
+    Operations --> |Execute| OscalCLI
+    OscalCLI --> |Read Input| FileSystem
+    OscalCLI --> |Write Output| FileSystem
+
+    classDef secure fill:#f9f,stroke:#333,stroke-width:2px;
+    classDef restricted fill:#ff9,stroke:#333,stroke-width:2px;
+
+    class VertxServer restricted;
+    class OscalDir secure;
+    class TempFiles restricted;
diff --git a/.oscal/attachments/diagrams/network-diagram.svg b/.oscal/attachments/diagrams/network-diagram.svg
diff --git a/component.oscal.yml → .oscal/component.oscal.yaml b/component.oscal.yml → .oscal/component.oscal.yaml
@@ -1,24 +1,23 @@
 component-definition:
-  uuid: 12345678-1234-1234-1234-123456789abc
+  uuid: 2862dbd1-1d58-4caf-8b57-cb29d150d236
   metadata:
     title: OSCAL Server Component Definition
     last-modified: "2024-10-17T12:00:00Z"
     version: "1.0"
-    oscal-version: "1.0.0"
+    oscal-version: "1.1.3"
   components:
-    - uuid: 98765432-9876-9876-9876-987654321def
+    - uuid: 2862dbd1-1d58-4caf-8b57-cb29d150d234
       type: service
       title: OSCAL Server
       description: >
         A service that runs through local loopback on port 8888
-      props:
-        - name: port
-          value: "8888"
       protocols:
         - name: https
-          port-ranges:
+          uuid: 2862dbd1-1d58-4caf-8b57-cb29d150d234
+          port-ranges:            
             - start: 8888
               end: 8888
+              transport: TCP
       remarks: >
         This component definition describes the OSCAL Server, which provides
         file conversion, validation and profile resolution