You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/SECURITY_MODEL.md
+10-6Lines changed: 10 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,6 @@
1
1
# Ferry Security Model 🛡️
2
2
3
-
This document explains the security principles, architectural choices, and hardening measures that make Ferry a robust tool for secure file exchange. It serves as a technical reference for auditors and security-conscious users.
3
+
This document summarizes implemented security properties, current hardening measures, and the verification practices used for Ferry. It is a technical reference for auditors and security-conscious users.
4
4
5
5
## 🏛️ Architectural Foundations
6
6
@@ -14,15 +14,15 @@ This document explains the security principles, architectural choices, and harde
14
14
15
15
### 3. ORM-First (Ent)
16
16
-**Principle:** All database interactions happen through a typed ORM.
17
-
-**Security Benefit:**Virtually eliminates SQL Injection risks by enforcing parameterized queries and typed schema definitions.
17
+
-**Security Benefit:**Reduces SQL injection risk by enforcing typed, parameterized database queries and schema-backed access patterns.
18
18
19
19
---
20
20
21
21
## 🛡️ Security Hardening
22
22
23
23
### 1. Authentication & Session Management
24
24
-**Passwords:** All passwords (user and share) are hashed using **Argon2id**, the winner of the Password Hashing Competition.
25
-
-**Sessions:**Secure cookies with `HttpOnly` and `SameSite=Lax`. Production mode strictly enforces the `Secure` flag when behind a reverse proxy.
25
+
-**Sessions:**Cookies are configured with `HttpOnly` and `SameSite=Lax`. The `Secure` flag is enabled when ferry is deployed behind a reverse proxy.
26
26
-**Rate Limiting:** Built-in protection for `/login` and `/unlock` endpoints (0.2 req/s) to prevent brute-force attacks.
27
27
28
28
### 2. Share Protection
@@ -31,13 +31,14 @@ This document explains the security principles, architectural choices, and harde
31
31
-**Session Isolation:** Guests can only delete files they uploaded within their current session, unless the admin explicitly permits otherwise.
32
32
33
33
### 3. Input Validation & Sanitization
34
-
-**Open Redirect Protection:**All `next` parameters in the login flow are sanitized to prevent malicious external redirects.
34
+
-**Open Redirect Protection:**`next` parameters in the login flow are sanitized so redirects stay local.
35
35
-**XSS Prevention:** Leverages Go's `html/template` package, which provides context-aware auto-escaping.
36
36
-**Path Traversal:** File paths are constructed using hashes and internal IDs, never directly from user-supplied filenames.
37
+
-**Configuration Injection Protection:**`ui.primary_color` is validated as a hex color code before it is accepted from configuration.
37
38
38
39
### 4. Information Leak Prevention
39
40
-**Success ID Validation:** The UI logic for showing "Upload Success" badges validates every ID against the currently active share. This prevents probing for the existence of files in other shares.
40
-
-**Minimal Error Messages:**Production mode suppresses detailed error traces to prevent information disclosure.
41
+
-**Conservative Error Handling:**User-facing errors stay concise for expected validation and permission failures; detailed operational diagnostics remain in logs and test output.
41
42
42
43
---
43
44
@@ -50,4 +51,7 @@ Ferry is built using a **Multi-AI Orchestration** approach:
50
51
-**OpenAI Codex:** Implementation, code reviews, and deep-dive debugging.
51
52
-**Human Oversight:** Kai Krakow acts as the "Conductor," defining goals, validating every phase, and performing final quality assurance.
52
53
53
-
Every release candidate undergoes a full SAST sweep and dependency scan before publication.
54
+
## 🔍 Verification
55
+
- GitHub CodeQL is enabled for the repository and is used to catch security regressions in pull requests.
56
+
- The local release checklist requires `go test ./...`, `go vet ./...`, and `go test -race ./internal/api`.
57
+
- Ad hoc audit sweeps are used during development to check for regressions such as cross-share `success_ids` leakage and configuration injection hazards.
0 commit comments