Why

Code review round 59 identified 18 issues across security, correctness, and performance categories requiring comprehensive fixes.

What

Apply security and correctness fixes:

MUST-FIX (Security Critical)

1. JWT expiration check missing - Add claims.ExpiresAt.Time.Before(time.Now()) check in pkg/web/auth.go:parseJWT()
2. Plaintext password storage - Validate passwords are bcrypt hashed in pkg/store/database/user.go
3. SQL injection - Use parameterized queries in pkg/store/database/repo.go instead of string concatenation
4. User deletion race condition - Move repo deletion inside transaction in pkg/backend/user.go or use CASCADE
5. Connection pool exhaustion - Set connection limits in pkg/db/db.go:Open()
6. Path traversal - Sanitize repo names to prevent ../ in pkg/utils/utils.go:SanitizeRepo()
7. Certificate injection - Validate public key fingerprints in pkg/ssh/middleware.go

SHOULD-FIX (Security Moderate)

8. Timing attack mitigation - Use constant-time comparison for all auth checks
9. Weak token entropy - Increase JWT token entropy to 32 bytes (256 bits)
10. SQLite pragma injection - Validate data source before DSN concatenation in pkg/config/config.go
11. TLS certificate validation - Verify certificate validity in pkg/web/http.go:Serve()
12. Password field validation - Check passwords are bcrypt hashed before storage in pkg/db/models/user.go

NIT (Style/Minor)

13. Incomplete error handling - Remove misleading comments in pkg/config/config.go
14. Environment sanitization - Validate environment variable values in pkg/ssh/middleware.go
15. Username uniqueness check - Optimize duplicate key validation in pkg/store/database/user.go
16. Redundant normalization - Remove duplicate lowercase normalization in pkg/backend/user.go
17. Inconsistent validation - Harmonize character rules between ValidateUsername() and ValidateRepo()
18. Authorization header split - Validate second part exists in pkg/web/auth.go:parseAuthHdr()

Where

• pkg/web/auth.go - JWT parsing and validation
• pkg/store/database/user.go - User password storage
• pkg/store/database/repo.go - Repository operations
• pkg/backend/user.go - User management
• pkg/db/db.go - Database connection management
• pkg/utils/utils.go - Input sanitization
• pkg/ssh/middleware.go - SSH authentication
• pkg/config/config.go - Configuration handling
• pkg/web/http.go - HTTP serving
• pkg/db/models/user.go - User model validation

Plan

1. Add JWT expiration check after token validation
2. Validate password hashing before storage
3. Implement parameterized queries for repo name lookups
4. Move repo deletion into database transaction
5. Add connection pool configuration
6. Enhance path sanitization to prevent directory traversal
7. Validate SSH certificate fingerprints
8. Implement constant-time password comparisons
9. Increase JWT token entropy
10. Validate SQLite DSN before concatenation
11. Add TLS certificate chain validation
12. Add password field validation in model layer

Security Impact

Critical: Multiple security vulnerabilities requiring immediate attention:

• Plaintext password storage could lead to credential exposure
• SQL injection vulnerabilities
• Path traversal allowing arbitrary file access
• Certificate injection allowing unauthorized SSH access
• Connection pool exhaustion (DoS vulnerability)

Recommendation: Treat as CRITICAL security issue requiring immediate remediation.

Notes

Round 59 found 18 issues total: 7 MUST-FIX, 6 SHOULD-FIX, 5 NIT. This is a comprehensive security remediation requiring careful implementation and testing.