Description
A HIGH security vulnerability exists across `backend/secuscan/main.py` and `backend/secuscan/routes.py`. The FastAPI application registers zero authentication or authorization middleware. Every API endpoint — including sensitive and destructive ones — is reachable by any process or browser tab that can connect to the backend port without supplying any credential.
Impact
Any attacker who can reach the backend HTTP port (e.g., another process on the machine, a browser tab on a misconfigured network, or a host with port-forwarding active) can:
- Retrieve raw decrypted vault secrets via `GET /api/v1/vault/{name}` — this endpoint calls `VaultCrypto.decrypt()` and returns the plaintext value directly.
- Permanently wipe all scan history via `DELETE /api/v1/tasks/clear`.
- Start arbitrary security scans against any target via `POST /api/v1/task/start`.
- Create and execute workflows that bypass consent checks (`consent_granted=True` is hardcoded at `routes.py:921`).
- Delete individual vault entries via `DELETE /api/v1/vault/{name}`.
Because `cors_allow_credentials: bool = True` is set in config, a malicious webpage served from a legitimately allowed origin (or via subdomain confusion) could silently make credentialed requests and exfiltrate all vault secrets in a single CSRF request.
Steps to Reproduce
- Start the backend: `./start.sh`
- From any terminal (no token required):
```bash
Read a vault secret
curl http://127.0.0.1:8000/api/v1/vault/my-api-key
Wipe all scan history
curl -X DELETE http://127.0.0.1:8000/api/v1/tasks/clear
Start a scan against an arbitrary public host
curl -X POST http://127.0.0.1:8000/api/v1/task/start
-H "Content-Type: application/json"
-d '{"plugin_id":"nmap","inputs":{"target":"8.8.8.8"},"consent_granted":true}'
```
- Observed result: all requests succeed with HTTP 200. No token, session, or credential of any kind is required.
Expected Behaviour
Every state-changing and data-accessing endpoint should require a valid authentication token. At minimum, a startup-generated API key should be required as a `Bearer` token or `X-Api-Key` header on every request. The vault retrieval endpoint should never return the raw decrypted value to an unauthenticated caller.
Proposed Fix
- On first startup, generate a cryptographically random API key (32 bytes, hex-encoded) and write it to a local key file (e.g., `backend/data/.api_key`). Log it to the console once so the user can copy it.
- Add a FastAPI `HTTPBearer` dependency that validates the key on every non-health-check request.
- Return `HTTP 401` for any request missing or supplying an invalid key.
- Document the key location in `README.md` and `.env.example`.
Labels: `type:security` `level:advanced` `gssoc:approved`
Please assign this issue to me under GSSoC 2026. I will open a PR with a complete fix covering all affected files, proper test coverage, and verification steps.
Description
A HIGH security vulnerability exists across `backend/secuscan/main.py` and `backend/secuscan/routes.py`. The FastAPI application registers zero authentication or authorization middleware. Every API endpoint — including sensitive and destructive ones — is reachable by any process or browser tab that can connect to the backend port without supplying any credential.
Impact
Any attacker who can reach the backend HTTP port (e.g., another process on the machine, a browser tab on a misconfigured network, or a host with port-forwarding active) can:
Because `cors_allow_credentials: bool = True` is set in config, a malicious webpage served from a legitimately allowed origin (or via subdomain confusion) could silently make credentialed requests and exfiltrate all vault secrets in a single CSRF request.
Steps to Reproduce
```bash
Read a vault secret
curl http://127.0.0.1:8000/api/v1/vault/my-api-key
Wipe all scan history
curl -X DELETE http://127.0.0.1:8000/api/v1/tasks/clear
Start a scan against an arbitrary public host
curl -X POST http://127.0.0.1:8000/api/v1/task/start
-H "Content-Type: application/json"
-d '{"plugin_id":"nmap","inputs":{"target":"8.8.8.8"},"consent_granted":true}'
```
Expected Behaviour
Every state-changing and data-accessing endpoint should require a valid authentication token. At minimum, a startup-generated API key should be required as a `Bearer` token or `X-Api-Key` header on every request. The vault retrieval endpoint should never return the raw decrypted value to an unauthenticated caller.
Proposed Fix
Labels: `type:security` `level:advanced` `gssoc:approved`
Please assign this issue to me under GSSoC 2026. I will open a PR with a complete fix covering all affected files, proper test coverage, and verification steps.