Security hardening pass: credential hygiene, identifier sinks, secure RNG#92
Merged
Merged
Conversation
… RNG
Project-wide scan of the high-risk surfaces (network clients, importers, local
databases, auth, operator tooling, Firestore rules) with six fixes. No
behaviour change for well-formed inputs; educational boundary untouched.
F1 app_state.dart — record ids now come from a static Random.secure()
(fallback to seeded Random only where no entropy source exists) instead of
a per-call non-cryptographic Random().
F2 fdc_p0_importer.dart — the FDC API key moves from the URL query string to
the X-Api-Key header (supported by api.data.gov/FDC), so it can no longer
leak through URLs in error messages, logs, or cache-metadata keys.
F3 source_fetch_client.dart — fetch error messages (non-HTTPS rejection, HTTP
status failures, byte-limit failures) now echo only scheme://host/path,
never the query string, as defense in depth for any credentialed URL.
F4 dailymed_p0_importer.dart / health_canada_dpd_p0_importer.dart — upstream-
derived values (SPL set ids, DPD drug codes) are URI-encoded before being
interpolated into request paths/queries, so malformed values cannot reshape
the request.
F5 cdss_database*.dart — CDSS table identifiers are validated against a strict
snake_case pattern (`requireValidCdssTableName`) before reaching dynamic
identifier sinks that cannot use parameter binding: SQL table names
(native), Firestore path segments (users/{uid}/cdss_tables/{table}/rows),
and web storage keys.
F6 cdss_database_firestore.dart — a staging row without any identifier key now
fails loudly instead of upserting every such row into one shared "null"
document (silent data loss).
Audited and found already sound (no change): HTTPS-only/no-redirect/byte-capped
fetch client streaming; Local AI adapter localhost-only endpoint enforcement
with redirects disabled; Firestore rules deny-all fallback + owner scoping +
safeId; operator token files written 0600 under build/; tool spawn calls use
fixed argv arrays; SQL rows use ? parameter binding; no credential logging.
New test/security_hardening_test.dart pins the table-name guard, the
query-string redaction (three error paths), and the X-Api-Key behaviour.
Gates: dart format clean, flutter analyze clean, flutter test 751 passed,
public:preflight 0 BLOCKER, privacy:preflight 0 blocker, git diff --check
clean. Synthetic fixtures only; no real credentials.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Project-wide bug/security scan of the high-risk surfaces — network clients,
importers, local/Firestore/web databases, auth services, operator tooling, and
Firestore rules — with six fixes applied. No behaviour change for
well-formed inputs; the educational safety boundary is untouched.
Fixes
lib/core/state/app_state.dartRandom()Random.secure()(seeded fallback only where no entropy source exists)lib/data/datasources/remote/fdc_p0_importer.dartX-Api-Keyheader (supported by api.data.gov/FDC); URL carries no querylib/data/datasources/remote/source_fetch_client.dartscheme://host/pathdailymed_p0_importer.dart,health_canada_dpd_p0_importer.dartUri.encodeComponent/Uri.encodeQueryComponentbefore interpolationlib/core/db/cdss_database*.dartusers/{uid}/cdss_tables/{table}/rows), web storage keysrequireValidCdssTableNameguard (strict snake_case) enforced in all three implementationslib/core/db/cdss_database_firestore.dart"null"document — every such row silently overwrote the previous one (data loss)StateErrorAudited and found already sound (no change needed)
HttpSourceFetchClient: HTTPS-only, redirects disabled, userInfo rejected, streaming byte cap enforced even without Content-Length.safeIdpattern on ids, admin/importer claims gating.0600underbuild/; no token values logged.spawnSynconly with fixed argv arrays (no shell interpolation).?parameter binding throughout.Tests
New
test/security_hardening_test.dart(6 cases) pins:X-Api-Keyheader (captured request asserted).Validation (all run, all green)
dart format --set-exit-if-changed .clean;flutter analyzeno issuesflutter test --concurrency=1→ 751 passednpm run public:preflight→ 0 BLOCKER;npm run privacy:preflight→ 0 blockergit diff --checkcleanEducational prototype only; synthetic fixtures; no real credentials, PHI, or
medical-meaning changes.
🤖 Generated with Claude Code