mirror of
https://github.com/alibaba/open-code-review.git
synced 2026-07-09 17:28:58 +00:00
Add ASSURANCE_CASE.md covering threat model, secure design principles (Saltzer & Schroeder), OWASP/CWE countermeasures, and automated verification. Switch tag command from annotated (-a) to signed (-s) to match the assurance case's integrity claims.
8.4 KiB
8.4 KiB
Security Assurance Case
This document provides a security assurance case for Open Code Review (OCR), justifying that security requirements are met through secure design principles and countermeasures against common implementation weaknesses.
Threat Model
System Description
OCR is a CLI tool that:
- Reads git diff output from a local repository.
- Sends code diffs to a configured LLM provider (OpenAI, Anthropic, etc.) via HTTPS.
- Receives review comments from the LLM and presents them to the user.
- Optionally serves a local web viewer for browsing review session history.
Actors
| Actor | Trust Level |
|---|---|
| Local user | Trusted — invokes the CLI with full control over configuration |
| LLM provider API | Semi-trusted — responses are validated before use |
| Git repository | Semi-trusted — diffs may contain adversarial content |
| Network | Untrusted — all communication uses TLS |
| Web browser (viewer) | Untrusted — may be exploited via DNS rebinding |
Trust Boundaries
┌──────────────────────────────────────────────────┐
│ User Machine (Trusted Zone) │
│ │
│ ┌──────────┐ ┌──────────┐ ┌────────────┐ │
│ │ Git Repo │───▶│ OCR CLI │───▶│ Local File │ │
│ │ (diffs) │ │ (core) │ │ (output) │ │
│ └──────────┘ └────┬─────┘ └────────────┘ │
│ Trust ────────▶│◀──────── Trust │
│ Boundary 1 │ Boundary 3 │
│ │ │
│ ┌────┴─────┐ │
│ │ Viewer │◀── Trust Boundary 4 │
│ │ (HTTP) │ (Browser access) │
│ └──────────┘ │
└───────────────────────┼───────────────────────────┘
Trust ──────▶│◀────── Boundary 2
│
┌─────────┴──────────┐
│ LLM Provider API │
│ (HTTPS only) │
└────────────────────┘
- Git → CLI: Diff content may contain crafted payloads. Parsed with strict format validation.
- CLI → LLM API: API keys transmitted over HTTPS only. Responses validated before use.
- CLI → Local output: File writes constrained to the working directory.
- Browser → Viewer: Host-header allowlist enforces access control; blocks DNS rebinding.
Threat Summary
| ID | Threat | Boundary | Mitigation |
|---|---|---|---|
| T1 | Command injection via crafted diff content | 1 | All external commands are git only, with hardcoded subcommands; no shell expansion; --end-of-options used to prevent flag injection |
| T2 | API key leakage | 2 | Keys read from environment variables only; never logged, written to output files, or transmitted beyond the configured LLM endpoint |
| T3 | Path traversal via LLM-suggested file paths | 3 | pathutil.WithinBase() validates all file paths against the repository root, both before and after symlink resolution |
| T4 | DNS rebinding against local viewer | 4 | Host-header allowlist rejects requests from non-loopback origins; configurable via OCR_VIEWER_ALLOWED_HOSTS |
| T5 | Man-in-the-middle on API communication | 2 | Go's net/http enforces TLS 1.2+ with full certificate verification by default; InsecureSkipVerify is never set |
| T6 | Malicious LLM response | 2 | JSON schema validation on response structure; line number bounds checking against actual diff ranges |
| T7 | Dependency vulnerabilities | All | govulncheck runs in CI; Dependabot monitors for updates; go.sum provides integrity verification |
Secure Design Principles
The following analysis maps Saltzer & Schroeder's design principles to the project's implementation.
| Principle | How Applied |
|---|---|
| Least privilege | CGO_ENABLED=0 eliminates C library attack surface. The CLI requires no elevated permissions. No network listeners except the opt-in viewer. |
| Fail-safe defaults | API keys must be explicitly provided via environment variables. The viewer binds to localhost by default; non-loopback hosts require explicit allowlisting. |
| Complete mediation | Every viewer HTTP request is checked against the host allowlist (internal/viewer/hostguard.go). Every file path from agent tools is validated against the repository root (internal/tool/filereader.go:98, internal/pathutil/path.go). |
| Economy of mechanism | External process execution is limited to git with hardcoded subcommands — no shell invocation, no arbitrary command execution. |
| Open design | Fully open-source (Apache-2.0). Security relies on TLS, not obscurity. |
| Separation of privilege | API authentication (keys) is separated from configuration (files). The viewer's host guard is a distinct middleware layer. |
| Least common mechanism | Each review session writes to its own JSONL file. No shared state between sessions. |
| Psychological acceptability | Security defaults (HTTPS, localhost binding, host allowlist) require no user configuration. Overrides (OCR_VIEWER_ALLOWED_HOSTS) are explicit and documented. |
Countermeasures Against Common Weaknesses
The following maps OWASP Top 10 and CWE/SANS Top 25 categories to the project.
| Weakness | Applicability | Countermeasure |
|---|---|---|
| A03:2021 Injection (CWE-78 OS Command Injection) | All exec.Command calls use git with explicit argument lists — no shell interpolation. --end-of-options prevents flag injection. |
Mitigated |
| A01:2021 Broken Access Control (CWE-22 Path Traversal) | Agent file-read tool validates paths with pathutil.WithinBase() before and after symlink resolution (internal/tool/filereader.go:91-112). |
Mitigated |
| A02:2021 Cryptographic Failures | All API communication uses HTTPS/TLS 1.2+. Go's default TLS configuration is used without weakening. InsecureSkipVerify is never set. |
Mitigated |
| A07:2021 Auth Failures (CWE-798 Hard-coded Credentials) | API keys are read exclusively from environment variables, never embedded in code or config files, never logged. | Mitigated |
| A05:2021 Security Misconfiguration | Secure defaults: localhost-only viewer, HTTPS-only API calls, CGO_ENABLED=0. The go vet and govulncheck tools run in CI. |
Mitigated |
| A06:2021 Vulnerable Components (CWE-1104) | Dependabot monitors Go modules and GitHub Actions. govulncheck runs on every push/PR. Dependencies are locked via go.sum. |
Mitigated |
| A08:2021 Software Integrity | Release binaries include SHA-256 checksums. Release tags are cryptographically signed (SSH). CGO_ENABLED=0 produces static binaries with no external shared library dependencies. |
Mitigated |
| A09:2021 Logging Failures | API keys and sensitive headers are excluded from all log output and telemetry. | Mitigated |
| A10:2021 SSRF | The CLI only makes outbound requests to user-configured LLM API endpoints. The viewer does not make outbound requests. | Not applicable |
| CWE-416 Use After Free / CWE-787 Out-of-bounds Write | Go is a memory-safe language. CGO_ENABLED=0 eliminates C memory risks. Race detector (-race) runs in CI. |
Not applicable (memory-safe language) |
Automated Verification
| Check | Tool | When |
|---|---|---|
| Static analysis | go vet |
Every push and PR (CI) |
| Known vulnerability scan | govulncheck |
Every push and PR (CI) |
| Data race detection | go test -race |
Every push and PR (CI) |
| Dependency monitoring | Dependabot | Continuous |
| Build integrity | CGO_ENABLED=0, go.sum checksums |
Every build |