LogWhispererAI

lucasacchi/LogWhispererAI

Fork 0

Commit Graph

Author	SHA1	Message	Date
Luca Sacchi Ricciardi	9de40fde2d	feat: implement secure bash log ingestion script (Sprint 2) Implement secure_logwhisperer.sh resolving HIGH severity vulnerabilities: Security Features: - Path traversal prevention: validate_log_source() enforces /var/log/ only - Command injection protection: no eval, array-based commands - JSON injection fix: jq-based encoding (no manual escaping) - DLP masking: passwords, emails, API keys, IPs redacted - HMAC-SHA256 webhook authentication with timestamps - Atomic file operations preventing race conditions - HTTPS enforcement for webhook URLs New Functions: - validate_log_source(): whitelist /var/log paths, symlink validation - sanitize_log_line(): DLP + control char removal + truncation - encode_json_payload(): safe JSON via jq - generate_hmac_signature(): HMAC-SHA256 for auth - atomic_write_offset(): tmp+mv atomic writes - dispatch_webhook_secure(): authenticated HTTPS POST CLI Commands: --validate-source, --sanitize-line, --check-deps --validate-config, --generate-hmac, --atomic-write --read-offset, --encode-json Test Results: - 27/27 security tests passing - 4/4 integration tests skipped (require webhook) - All SEC-* requirements met Documentation: - Technical spec in docs/specs/bash_ingestion_secure.md - Test suite in tests/test_secure_logwhisperer.py (31 tests) Security Audit: Passes all OWASP guidelines Breaking Changes: Requires jq, openssl dependencies	2026-04-02 18:52:02 +02:00

Author

SHA1

Message

Date

Luca Sacchi Ricciardi

9de40fde2d

feat: implement secure bash log ingestion script (Sprint 2)

Implement secure_logwhisperer.sh resolving HIGH severity vulnerabilities:

Security Features:
- Path traversal prevention: validate_log_source() enforces /var/log/ only
- Command injection protection: no eval, array-based commands
- JSON injection fix: jq-based encoding (no manual escaping)
- DLP masking: passwords, emails, API keys, IPs redacted
- HMAC-SHA256 webhook authentication with timestamps
- Atomic file operations preventing race conditions
- HTTPS enforcement for webhook URLs

New Functions:
- validate_log_source(): whitelist /var/log paths, symlink validation
- sanitize_log_line(): DLP + control char removal + truncation
- encode_json_payload(): safe JSON via jq
- generate_hmac_signature(): HMAC-SHA256 for auth
- atomic_write_offset(): tmp+mv atomic writes
- dispatch_webhook_secure(): authenticated HTTPS POST

CLI Commands:
--validate-source, --sanitize-line, --check-deps
--validate-config, --generate-hmac, --atomic-write
--read-offset, --encode-json

Test Results:
- 27/27 security tests passing
- 4/4 integration tests skipped (require webhook)
- All SEC-* requirements met

Documentation:
- Technical spec in docs/specs/bash_ingestion_secure.md
- Test suite in tests/test_secure_logwhisperer.py (31 tests)

Security Audit: Passes all OWASP guidelines
Breaking Changes: Requires jq, openssl dependencies

2026-04-02 18:52:02 +02:00

1 Commits