Skip to content

v2.1.0 — Security Hardening & Production Readiness

Latest
Latest

Choose a tag to compare

View all tags
@gl0bal01 gl0bal01 released this 19 Mar 13:24
v2.1.0
bfb9849

What's New

Security Hardening

  • Command injection eliminated — All exec() calls replaced with spawn(shell:false) via utils/process.js. Child processes receive minimal environment (no API keys or tokens leaked)
  • SSRF protection — Connect-time IP validation via custom HTTP agents prevents DNS rebinding. IPv4-mapped IPv6 bypass patched. Redirect targets re-validated on each hop
  • XSS prevention — HTML reports (ghunt, nike) escape all user input via escapeHtml()
  • Input validation hardened — Strips shell metacharacters, newlines, null bytes, fullwidth Unicode bypass characters
  • Zero error.message leaks — All user-facing errors are generic; details logged server-side only

Access Control

  • Permission system — Sensitive commands (nuclei, sherlock, ghunt, etc.) require ManageGuild permission. Configurable via OSINT_ALLOWED_ROLES
  • Rate limiting — Per-user cooldowns (3s/10s/30s by command category) + configurable daily limits
  • Guild whitelistALLOWED_GUILD_IDS restricts the bot to authorized servers. Auto-leaves unauthorized guilds on startup and when invited

Infrastructure

  • Docker — Multi-stage Dockerfile with oven/bun:1-slim, non-root user, health check
  • docker-compose.ymlno-new-privileges, cap_drop: ALL, read-only filesystem, tmpfs mounts, memory/PID limits
  • CI/CD — GitHub Actions with test matrix (Node 20/22), eslint, npm audit, Trivy image scanning. All actions SHA-pinned
  • bun — Switched package manager from npm to bun

Code Quality

  • 45 tests (vitest) covering validation, SSRF, process execution, rate limiting
  • 0 lint errors (eslint v10 flat config)
  • 0 npm audit vulnerabilities (undici overridden to 6.24.1)
  • 8 shared utility modules — process, ssrf, permissions, ratelimit, validation, config, temp, chunks
  • Deduplicated imports, removed unused dependencies (playwright, node-fetch, @discordjs/builders)

Documentation

  • SECURITY.md — Vulnerability disclosure policy + architecture docs
  • CONTRIBUTING.md — Development guidelines + code standards
  • .env.example — All environment variables documented
  • README.md — Updated with Docker deployment, security features, bun commands

Breaking Changes

  • Node.js >=20.0.0 required (vitest v4 and jsdom v29 need Node 20+)
  • Login monitoring removed from /bob-monitor (plaintext credential exposure)
  • Sensitive commands now require ManageGuild permission by default
Assets 2
Loading