Security Audit Plan¶
This plan is the release gate for goDrive before real family data is placed behind it. The target deployment is a small private server behind HTTPS, usually on a NAS or home server.
Scope¶
Audit these surfaces:
- Go HTTP API: auth, sessions, CSRF, authorization, path handling, uploads, trash, admin routes, webhooks, preview endpoints.
- Filesystem boundary: per-user roots, symlinks, rename/move/delete/restore, archive/download behavior, watcher/reconciliation updates.
- SQLite state: migrations, session storage, upload records, file index, trash metadata, webhook secrets.
- Preview pipeline: image/video/PDF/text/Markdown rendering, external tools, cache paths, timeout behavior.
- Web UI: authenticated workflows, XSS risks, CSRF behavior, download/open flows.
- Flutter app: token storage, upload queue persistence, Android foreground service, iOS background URLSession, file picker paths.
- Deployment: Docker volumes, TLS/reverse proxy expectations, backup categories, logs.
Out of scope for the first full audit:
- Public multi-tenant hardening.
- Enterprise SSO, SCIM, audit log compliance, SIEM integration.
- Full mobile binary reverse engineering.
Threat Model¶
Primary assets:
- User files under each home root.
- Admin credentials and session tokens.
- Trash contents.
- Webhook secrets.
- SQLite database and upload temp files.
Primary attackers:
- Unauthenticated network user who can reach the HTTP service.
- Authenticated non-admin user attempting to access another user's files or admin APIs.
- Malicious file content uploaded by a legitimate user.
- Local process writing directly into watched folders.
- Compromised webhook endpoint or automation client.
Security goals:
- No path traversal or symlink escape outside a user's configured root.
- No cross-user file access.
- No unauthenticated writes.
- Cookie writes require CSRF protection; bearer clients do not rely on CSRF.
- Preview generation cannot write outside the preview cache or run unbounded.
- Upload temp files cannot overwrite arbitrary paths.
- Admin-only APIs reject non-admin users.
- Webhook signatures are verifiable and secrets are not leaked after creation.
Automated Checks¶
Run before manual testing:
make test
make test-race
make web-test
make web-check
flutter test
flutter analyze
GOCACHE=/tmp/godrive-gocache go test ./internal/store -bench BenchmarkFileIndex400k -run '^$' -count=1
Run these with a clean temp deployment:
GODRIVE_DATA_ROOT=/tmp/godrive-sec-data \
GODRIVE_APPDATA_DIR=/tmp/godrive-sec-appdata \
GODRIVE_BOOTSTRAP_ADMIN_PASSWORD=change-me \
go run ./cmd/godrive verify
Manual Security Tests¶
Authentication and sessions:
- Login succeeds with the bootstrap admin and fails with a wrong password.
- Repeated wrong logins hit the rate limit and recover after the configured window.
- Logout invalidates the session cookie.
- Expired sessions are rejected after TTL.
- A bearer token returned by login works for API calls.
- A random bearer token is rejected.
CSRF:
- Cookie-authenticated
POST,PATCH, andDELETErequests withoutX-CSRF-Tokenare rejected. - The same requests with the login CSRF token succeed.
- Bearer-authenticated writes do not require CSRF.
Authorization:
- Non-admin user cannot call
/api/admin/*. - User A cannot list, download, rename, delete, restore, or preview User B files by guessing paths.
- Admin user management cannot create users with missing username/password/home root.
Path confinement:
- Requests containing
.., encoded traversal, backslashes, null bytes, absolute paths, and repeated separators are rejected or normalized safely. - Symlinks inside a user root pointing outside the root cannot be read, downloaded, moved, previewed, or indexed.
- Rename/move cannot move a file outside the user's root.
- Restore from trash handles conflicts and does not overwrite existing files.
Uploads:
- TUS create rejects unsafe filenames and unsafe target dirs.
- PATCH with the wrong offset is rejected.
- Completed upload finalization uses conflict suffixing and never overwrites existing files.
- Orphaned
.partcleanup only removes upload temp files in the configured upload dir. - Interrupted upload records do not grant access across users.
Previews:
- Image/video/PDF preview requests reject paths outside the user root.
- Text preview has a bounded byte limit and reports truncation.
- Markdown/text rendering does not execute HTML/script.
- External preview commands time out on slow inputs.
- Preview cache clearing refuses empty or root-like preview paths.
Webhooks:
- Webhook create/list/delete/test are admin-only.
- Secret is returned only when created.
- Delivery includes
X-GoDrive-Signature. - A receiver can verify the HMAC over the raw body.
- Failing endpoints do not block file operations.
Deployment:
GODRIVE_COOKIE_SECURE=trueis used behind HTTPS.- Data, appdata, trash, uploads, and previews are mounted as separate documented volumes.
- Logs do not include passwords, bearer tokens, session IDs, CSRF tokens, or webhook secrets.
- Docker container runs with only required mounted directories.
Findings Format¶
Record each finding with:
- Title.
- Severity: critical, high, medium, low.
- Affected component and file path.
- Preconditions.
- Reproduction steps.
- Impact.
- Recommended fix.
- Verification after fix.
Release Decision¶
Do not deploy real data if any critical or high finding remains open. Medium findings need an explicit accept/fix decision. Low findings can be tracked if the deployment is private and the risk is understood.