SilverLABS/littleshop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Implement critical security fixes from code review

Browse Source
This commit is contained in:
SysAdmin 2025-09-29 05:26:29 +01:00
parent 8a7c07ead7
commit ec894ba529
4 changed files with 68 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
Dockerfile
View File

@ -1,7 +1,12 @@
# Use the official ASP.NET Core runtime image (optimized) # Use the official ASP.NET Core runtime image (optimized)
FROM mcr.microsoft.com/dotnet/aspnet:9.0 AS base FROM mcr.microsoft.com/dotnet/aspnet:9.0 AS base
# Define non-root user UID/GID (security best practice)
ARG APP_UID=1001
ARG APP_GID=1001
WORKDIR /app WORKDIR /app
EXPOSE 5000 EXPOSE 8080
# Install curl for health checks # Install curl for health checks
RUN apt-get update && \ RUN apt-get update && \
@ -54,31 +59,33 @@ WORKDIR /app
# Switch to root to create directories and set permissions # Switch to root to create directories and set permissions
USER root USER root
# Create directories with proper ownership # Create non-root user and directories with proper ownership
RUN mkdir -p /app/wwwroot/uploads/products \ RUN groupadd -g ${APP_GID} appuser \
&& useradd -u ${APP_UID} -g ${APP_GID} -m appuser \
&& mkdir -p /app/wwwroot/uploads/products \
&& mkdir -p /app/data \ && mkdir -p /app/data \
&& mkdir -p /app/logs \ && mkdir -p /app/logs \
&& chown -R $APP_UID:$APP_UID /app \ && chown -R ${APP_UID}:${APP_GID} /app \
&& chmod -R 755 /app/wwwroot/uploads \ && chmod -R 755 /app/wwwroot/uploads \
&& chmod -R 755 /app/data \ && chmod -R 755 /app/data \
&& chmod -R 755 /app/logs && chmod -R 755 /app/logs
# Copy published app # Copy published app
COPY --from=publish --chown=$APP_UID:$APP_UID /app/publish . COPY --from=publish --chown=${APP_UID}:${APP_GID} /app/publish .
# Switch back to non-root user # Switch back to non-root user
USER $APP_UID USER ${APP_UID}
# Health check # Health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \ HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
CMD curl -f http://localhost:5000/api/catalog/products || exit 1 CMD curl -f http://localhost:8080/health || exit 1
# Optimize runtime # Optimize runtime
ENV DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=0 \ ENV DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=0 \
DOTNET_RUNNING_IN_CONTAINER=true \ DOTNET_RUNNING_IN_CONTAINER=true \
DOTNET_USE_POLLING_FILE_WATCHER=true \ DOTNET_USE_POLLING_FILE_WATCHER=true \
ASPNETCORE_FORWARDEDHEADERS_ENABLED=true \ ASPNETCORE_FORWARDEDHEADERS_ENABLED=true \
ASPNETCORE_URLS=http://+:5000 \ ASPNETCORE_URLS=http://+:8080 \
ASPNETCORE_ENVIRONMENT=Production ASPNETCORE_ENVIRONMENT=Production
ENTRYPOINT ["dotnet", "LittleShop.dll"] ENTRYPOINT ["dotnet", "LittleShop.dll"]

2
LittleShop/Controllers/AuthController.cs
View File

@ -38,7 +38,7 @@ public class AuthController : ControllerBase
catch (Exception ex) catch (Exception ex)
{ {
_logger.LogError(ex, "Error during login for user: {Username}", loginDto.Username); _logger.LogError(ex, "Error during login for user: {Username}", loginDto.Username);
return StatusCode(500, new { message = "An error occurred during login", error = ex.Message }); return StatusCode(500, new { message = "An error occurred during login" });
} }
} }
} }

42
LittleShop/Program.cs
View File

@ -54,6 +54,33 @@ builder.Services.Configure<AspNetCoreRateLimit.IpRateLimitOptions>(options =>
options.ClientIdHeader = "X-ClientId"; options.ClientIdHeader = "X-ClientId";
options.GeneralRules = new List<AspNetCoreRateLimit.RateLimitRule> options.GeneralRules = new List<AspNetCoreRateLimit.RateLimitRule>
{ {
// Critical: Order creation - very strict limits
new AspNetCoreRateLimit.RateLimitRule
{
Endpoint = "POST:*/api/orders",
Period = "1m",
Limit = 3
},
new AspNetCoreRateLimit.RateLimitRule
{
Endpoint = "POST:*/api/orders",
Period = "1h",
Limit = 10
},
// Critical: Payment creation - strict limits
new AspNetCoreRateLimit.RateLimitRule
{
Endpoint = "POST:*/api/orders/*/payments",
Period = "1m",
Limit = 5
},
new AspNetCoreRateLimit.RateLimitRule
{
Endpoint = "POST:*/api/orders/*/payments",
Period = "1h",
Limit = 20
},
// Order lookup by identity - moderate limits
new AspNetCoreRateLimit.RateLimitRule new AspNetCoreRateLimit.RateLimitRule
{ {
Endpoint = "*/api/orders/by-identity/*", Endpoint = "*/api/orders/by-identity/*",
@ -66,6 +93,21 @@ builder.Services.Configure<AspNetCoreRateLimit.IpRateLimitOptions>(options =>
Period = "1m", Period = "1m",
Limit = 10 Limit = 10
}, },
// Cancel order endpoint - moderate limits
new AspNetCoreRateLimit.RateLimitRule
{
Endpoint = "POST:*/api/orders/*/cancel",
Period = "1m",
Limit = 5
},
// Webhook endpoint - exempt from rate limiting
new AspNetCoreRateLimit.RateLimitRule
{
Endpoint = "POST:*/api/orders/payments/webhook",
Period = "1s",
Limit = 1000
},
// General API limits
new AspNetCoreRateLimit.RateLimitRule new AspNetCoreRateLimit.RateLimitRule
{ {
Endpoint = "*", Endpoint = "*",

12
LittleShop/Services/ConfigurationValidationService.cs
View File

@ -29,8 +29,16 @@ public class ConfigurationValidationService
{ {
_logger.LogInformation("🔍 Validating application configuration..."); _logger.LogInformation("🔍 Validating application configuration...");
// Temporarily disabled for testing SilverPay settings page // JWT validation is critical in production, optional in development/testing
// ValidateJwtConfiguration(); if (_environment.IsProduction() || !string.IsNullOrEmpty(_configuration["Jwt:Key"]))
{
ValidateJwtConfiguration();
}
else if (_environment.IsDevelopment())
{
_logger.LogWarning("⚠️ JWT validation skipped in development. Configure Jwt:Key for production readiness.");
}
ValidateSilverPayConfiguration(); ValidateSilverPayConfiguration();
ValidateProductionSafeguards(); ValidateProductionSafeguards();
ValidateEnvironmentConfiguration(); ValidateEnvironmentConfiguration();