# Security Tasklist - MinMax Analysis ## Overview Comprehensive security tasklist based on automated analysis of all source code modules: botserver, botui, botlib, botdevice, botapp, bottest. --- ## CRITICAL (P0) - Fix Immediately ### 1. Unsafe Command Execution **Files with direct Command::new (64 remaining):** - `botserver/src/core/bootstrap/bootstrap_utils.rs:39,53,76,99,112,126,133,161,176,211,231` - `botserver/src/core/package_manager/installer.rs:1154` - `botserver/src/botmodels/python_bridge.rs:198` - `botserver/src/auto_task/container_session.rs:27,52,117` - `botserver/src/llm/local.rs:434,530` - `botserver/src/monitoring/real_time.rs:595` **Action:** Replace ALL `Command::new` with `SafeCommand::new` ### 2. Panic Usage (4 instances) - `botserver/src/core/bot/channels/whatsapp.rs:65` - `panic!("WhatsApp queue initialization failed")` - `botserver/src/core/package_manager/installer.rs:28` - `panic!` for parsing error **Action:** Replace with proper error handling using `?` or `Result` ### 3. Unsafe Unwrap/Expect (647 instances) Major hotspots: - `botserver/src/whatsapp/mod.rs` - 30+ unwrap() on JSON serialization - `botserver/src/llm/mod.rs` - Multiple unwrap() on serialization - `botserver/src/security/jwt.rs` - Multiple expect() on token operations **Action:** Systematic replacement with `ok_or_else()`, `match`, or `if let` --- ## HIGH PRIORITY (P1) - Fix Within 1 Week ### 4. SQL Query Construction (format! with SQL) - `botserver/src/email/signatures.rs:306` - `diesel::sql_query(format!(...))` - `botserver/src/contacts/contacts_api/service.rs:251` - `format!("SELECT COUNT(*)...")` - `botserver/src/basic/keywords/db_api.rs:644` - `format!("DELETE FROM {}...")` - `botserver/src/maintenance/mod.rs:458,479` - `diesel::sql_query(format!(...))` **Action:** Use sql_guard consistently, validate all table/column names ### 5. CSP Configuration - unsafe-inline/unsafe-eval - `botserver/src/security/headers.rs` - Default CSP includes unsafe directives **Action:** Implement nonce-based CSP, remove unsafe-inline/unsafe-eval ### 6. JWT Secret Management - `botserver/src/security/jwt.rs` - Default secret fallback if not configured - Multiple `expect("Failed to generate")` in token operations **Action:** Enforce minimum secret length, fail startup if not configured --- ## MEDIUM PRIORITY (P2) - Fix Within 2 Weeks ### 7. Passkey Implementation - Incomplete - `botserver/src/security/passkey.rs` - Implementation present but incomplete - `botserver/src/security/passkey_service.rs` - Service layer incomplete **Action:** Complete passkey registration/authentication flow ### 8. RBAC - Anonymous Access - `botserver/src/main_module/server.rs` - Some routes may allow excessive anonymous access **Action:** Audit all route permissions, minimize anonymous endpoints ### 9. Path Traversal Risks - `botserver/src/security/path_guard.rs` exists but needs usage audit - File operations in `botserver/src/basic/keywords/file_ops/` **Action:** Ensure all file operations use path_guard validation ### 10. Rate Limiting Coverage - Governor-based rate limiting exists but not applied uniformly - WhatsApp-specific rate limiter at `botserver/src/core/bot/channels/whatsapp_rate_limiter.rs` **Action:** Apply consistent rate limiting to ALL API endpoints --- ## LOW PRIORITY (P3) - Fix Within 1 Month ### 11. Error Sanitization Coverage - 67 instances using `log_and_sanitize` found - Coverage good in security/rbac.rs, basic/keywords/db_api.rs - Missing in some API handlers **Action:** Ensure ALL HTTP error responses use error_sanitizer ### 12. Security Headers - `botserver/src/security/headers.rs` - Comprehensive implementation exists - Tests at lines 476-625 **Action:** Verify all responses include security headers ### 13. Audit Logging - `botserver/src/security/audit.rs` - Module exists - Need coverage verification for all security events **Action:** Audit event coverage review ### 14. Secrets Management - Vault integration via `vaultrs` exists - Ensure all secrets loaded from `/tmp/` not hardcoded **Action:** Verify secrets loading from `/tmp/vault-*` --- ## VERIFICATION COMMANDS ### Dependency Audit ```bash cargo audit cargo deny check ``` ### Code Quality ```bash cargo clippy --workspace # Target: 0 warnings ``` ### Security Tests ```bash cargo test -p botserver security ``` ### Specific Pattern Search ```bash # Find Command::new grep -r "Command::new" botserver/src --include="*.rs" | grep -v SafeCommand | grep -v "// Safe" # Find unwrap/expect grep -r "\.unwrap\(\)\|\.expect(" botserver/src --include="*.rs" | wc -l # Find format! with SQL grep -r 'format!.*SELECT\|format!.*INSERT\|format!.*UPDATE\|format!.*DELETE' botserver/src --include="*.rs" ``` --- ## SECURITY MODULES STATUS | Module | Status | Notes | |--------|--------|-------| | sql_guard | ✅ Good | Used in db_api, search, find | | command_guard | ✅ Good | SafeCommand widely adopted | | csrf | ✅ Good | Full implementation with Redis store | | error_sanitizer | ✅ Good | 67 usage instances | | jwt | ⚠️ Review | Default secret, unwrap usage | | rate_limiter | ✅ Good | Governor-based | | headers | ⚠️ Review | CSP needs hardening | | passkey | ❌ Incomplete | Needs completion | | audit | ✅ Good | Module exists | | rbac | ⚠️ Review | Anonymous access audit needed | --- ## TASK BATCH STRATEGY ### Batch 1 - Command Execution (64 files) 1. Search all `Command::new` occurrences 2. Replace with `SafeCommand::new` 3. Verify with clippy ### Batch 2 - Unwrap/Expect (647 instances) 1. Sort by file frequency 2. Fix highest-volume files first: - whatsapp/mod.rs (30+) - llm/mod.rs (15+) - security/jwt.rs (20+) 3. Use offline fix approach ### Batch 3 - SQL Queries (19 instances) 1. Verify sql_guard usage 2. Add validate_table_name calls 3. Test SQL injection resistance --- *Generated: 2026-03-11* *Analysis: Automated grep + code review* *Target: Zero critical/high security issues*