Security hardening: fix critical, high, and medium issues from audit

CRITICAL: - A-001: SQL injection in snapshot — escape single quotes in backup path - A-002: Timing attack — always verify against dummy hash when user not found, preventing username enumeration - A-003: Notebook ownership — all authenticated endpoints now verify user_id before loading notebook data - A-004: Point data bounds — decodePoints returns error on misaligned data, >4MB payloads, and NaN/Inf values HIGH: - A-005: Error messages — generic errors in HTTP responses, no err.Error() - A-006: Share link authz — RevokeShareLink verifies notebook ownership - A-007: Scan errors — return 500 instead of silently continuing MEDIUM: - A-008: Web server TLS — optional TLS support (HTTPS when configured) - A-009: Input validation — page_size, stroke count, point_data alignment checked in SyncNotebook RPC - A-010: Graceful shutdown — 30s drain on SIGINT/SIGTERM, all servers shut down properly Added AUDIT.md with all 17 findings, status, and rationale for accepted risks. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-24 20:16:26 -07:00
parent 51dd5a6ca3
commit ea9375b6ae
13 changed files with 478 additions and 74 deletions
--- a/internal/webserver/server.go
+++ b/internal/webserver/server.go
@@ -1,6 +1,7 @@
 package webserver

 import (
+	"crypto/tls"
 	"database/sql"
 	"fmt"
 	"html/template"
@@ -16,6 +17,8 @@ type Config struct {
 	Addr    string
 	DB      *sql.DB
 	BaseURL string
+	TLSCert string
+	TLSKey  string
 }

 type WebServer struct {
@@ -24,15 +27,15 @@ type WebServer struct {
 	tmpl    *template.Template
 }

-func Start(cfg Config) error {
+func Start(cfg Config) (*http.Server, error) {
 	templateFS, err := fs.Sub(web.Content, "templates")
 	if err != nil {
-		return fmt.Errorf("template fs: %w", err)
+		return nil, fmt.Errorf("template fs: %w", err)
 	}

 	tmpl, err := template.ParseFS(templateFS, "*.html")
 	if err != nil {
-		return fmt.Errorf("parse templates: %w", err)
+		return nil, fmt.Errorf("parse templates: %w", err)
 	}

 	ws := &WebServer{
@@ -73,6 +76,21 @@ func Start(cfg Config) error {
 		IdleTimeout:  120 * time.Second,
 	}

-	fmt.Printf("Web UI listening on %s\n", cfg.Addr)
-	return srv.ListenAndServe()
+	if cfg.TLSCert != "" && cfg.TLSKey != "" {
+		tlsCert, err := tls.LoadX509KeyPair(cfg.TLSCert, cfg.TLSKey)
+		if err != nil {
+			return nil, fmt.Errorf("load TLS cert: %w", err)
+		}
+		srv.TLSConfig = &tls.Config{
+			Certificates: []tls.Certificate{tlsCert},
+			MinVersion:   tls.VersionTLS13,
+		}
+		fmt.Printf("Web UI listening on %s (TLS)\n", cfg.Addr)
+		go func() { _ = srv.ListenAndServeTLS("", "") }()
+	} else {
+		fmt.Printf("Web UI listening on %s\n", cfg.Addr)
+		go func() { _ = srv.ListenAndServe() }()
+	}
+
+	return srv, nil
 }