Security Audit Mitigations & Hardening

[Dhara124]

Objective

This pull request implements critical security remediations identified during the recent adversarial audit. These changes harden the backend API against common attack vectors, including SSRF, IDOR, and unauthorized access, while aligning environments.

---

Files Changed & Rationale

1. Global Security & Authentication

Modified: backend/anudesh_backend/settings.py

• Why it was needed:
  • JWT Security: Reduced ACCESS_TOKEN_LIFETIME to 15 minutes to limit the window of opportunity for stolen tokens.
  • CORS Restrictions: Removed the insecure CORS_ORIGIN_ALLOW_ALL = True configuration and established a strict CORS_ALLOWED_ORIGINS whitelist to prevent cross-origin attacks.
  • Throttling: Configured default rate limits for DRF Throttling to establish a baseline defense against automated abuse.

2. Chat & Media Functionality

Modified: backend/functions/views.py

• Why it was needed:
  • chat_output: Added UserRateThrottle to prevent abuse and exhaustion of LLM endpoint quotas.
  • chat_log: Upgraded permissions to IsAuthenticated. Added payload size limits (1MB maximum) and schema validation to prevent Denial of Service (DoS) attacks via massive payloads.
  • upload_chat_image: Implemented deep image inspection using Pillow. Images are now verified, stripped of EXIF data, and re-encoded to neutralize hidden malware/XSS vectors. Enforced strict Content-Type and Content-Disposition: attachment headers via the Azure SDK to prevent malicious inline browser execution.

3. Workspace Access Controls

Modified: backend/workspaces/views.py

• Why it was needed:
  • bulk_add_members_to_projects: Fixed a critical Insecure Direct Object Reference (IDOR) vulnerability. The database query now explicitly filters projects by the workspace context (project = Project.objects.get(pk=pid, workspace_id=pk)), ensuring users cannot maliciously modify projects outside their authorized workspaces.

4. Task Integrations

Modified: backend/tasks/views.py

• Why it was needed:
  • TransliterationAPIView: Applied strict URL-encoding (urllib.parse.quote) to user-supplied parameters used in internal HTTP requests. This mitigates Server-Side Request Forgery (SSRF) and Path Traversal vulnerabilities.

---

How to Test

1. CORS & Authentication Verification
   • Attempt cross-origin requests from an unauthorized domain (e.g., via Postman or a local script); verify they are blocked by CORS policies.
   • Log in and wait 15 minutes; verify that the access token expires and requires a refresh.
2. IDOR Mitigation Test
   • Send a POST request to the bulk_add_members_to_projects endpoint using a valid project ID that belongs to a different workspace. Verify the request fails and does not expose or modify the unrelated project.
3. File Security & Upload Validation
   • Attempt to upload malformed images or scripts (e.g., .php or .js disguised as .jpg); verify the upload is rejected by Pillow.
   • Upload a valid image with embedded EXIF data; download the resulting blob and verify the EXIF metadata has been completely stripped.
4. SSRF & Input Validation
   • Test the TransliterationAPIView endpoint with path traversal payloads (e.g., passing ../ in the target language or data fields). Verify the payload is safely URL-encoded and does not traverse internal routing paths.
5. Rate Limiting
   • Send rapid, concurrent requests to the chat_output endpoint to verify that DRF throttling engages and returns a 429 Too Many Requests status code.