security-audit

[ ] Passwords hashed with Argon2id or bcrypt
[ ] Session tokens are cryptographically random
[ ] Token expiration is implemented
[ ] Authorization checks on all endpoints
[ ] No authorization bypass via direct object references

[ ] All user input is validated
[ ] File paths are canonicalized and validated
[ ] Size limits on all inputs
[ ] Content-type validation
[ ] No command injection vectors

[ ] Using audited cryptographic libraries (ring, rustcrypto)
[ ] No custom cryptographic implementations
[ ] Secure random number generation (getrandom)
[ ] Keys are properly managed
[ ] TLS 1.2+ with strong cipher suites

[ ] Sensitive data encrypted at rest
[ ] PII is protected
[ ] Secrets not logged
[ ] Secure deletion when required
[ ] Data classification enforced

[ ] No sensitive data in error messages
[ ] Errors don't reveal system internals
[ ] Failed operations don't leave partial state
[ ] Rate limiting on authentication failures

// Every unsafe block needs justification
unsafe {
    // SAFETY: `ptr` is valid because:
    // 1. It was just allocated by Vec::with_capacity
    // 2. We haven't deallocated or moved the Vec
    // 3. The index is within bounds (checked above)
    *ptr.add(index) = value;
}

// Check for:
// - Use after free
// - Double free
// - Buffer overflows
// - Data races
// - Invalid pointer arithmetic
// - Uninitialized memory access

// Validate all FFI inputs
pub extern "C" fn process_data(
    data: *const u8,
    len: usize,
) -> i32 {
    // Check for null pointer
    if data.is_null() {
        return -1;
    }

    // Validate length
    if len > MAX_ALLOWED_SIZE {
        return -2;
    }

    // Safe to create slice now
    let slice = unsafe {
        std::slice::from_raw_parts(data, len)
    };

    // Process safely
    // ...
}

// Use checked arithmetic for untrusted inputs
fn calculate_size(count: usize, item_size: usize) -> Option<usize> {
    count.checked_mul(item_size)
}

// Or use wrapping explicitly when intended
let wrapped = value.wrapping_add(1);

// Vulnerable
fn read_file(user_path: &str) -> Result<Vec<u8>> {
    let path = format!("/data/{}", user_path);
    std::fs::read(&path)
}

// Secure
fn read_file(user_path: &str) -> Result<Vec<u8>> {
    let base = Path::new("/data");
    let requested = base.join(user_path);
    let canonical = requested.canonicalize()?;

    // Ensure path is still under base
    if !canonical.starts_with(base) {
        return Err(Error::InvalidPath);
    }

    std::fs::read(&canonical)
}

// Vulnerable
fn find_user(name: &str) -> Result<User> {
    let query = format!("SELECT * FROM users WHERE name = '{}'", name);
    db.execute(&query)
}

// Secure - use parameterized queries
fn find_user(name: &str) -> Result<User> {
    db.query("SELECT * FROM users WHERE name = ?", &[name])
}

// Vulnerable - unbounded allocation
fn parse_items(count: u64) -> Vec<Item> {
    let mut items = Vec::with_capacity(count as usize);
    // ...
}

// Secure - limit allocation
const MAX_ITEMS: u64 = 10_000;

fn parse_items(count: u64) -> Result<Vec<Item>> {
    if count > MAX_ITEMS {
        return Err(Error::TooManyItems);
    }
    let mut items = Vec::with_capacity(count as usize);
    // ...
}

# Audit dependencies for known vulnerabilities
cargo audit

# Check for unsafe code
cargo geiger

# Static analysis
cargo clippy -- -W clippy::pedantic

# Fuzzing
cargo fuzz run target_name

## Security Finding

**Severity**: Critical | High | Medium | Low | Informational
**Category**: [CWE category if applicable]
**Location**: `file.rs:line`

### Description
[What the vulnerability is]

### Impact
[What an attacker could do]

### Proof of Concept
[How to reproduce or exploit]

### Remediation
[How to fix it]

### References
[Links to relevant documentation]