jfraeysd/fetch_ml
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
286 commits 1 branch 0 tags 38 MiB
Commit graph

7 commits

Author SHA1 Message Date
Jeremie Fraeys
8f9bcef754
test(phase-3): prerequisite security and reproducibility tests 
Implement 4 prerequisite test requirements:

- TestConfigIntegrityVerification: Config signing, tamper detection, hash stability
- TestManifestFilenameNonce: Cryptographic nonce generation and filename patterns
- TestGPUDetectionAudit: Structured logging of GPU detection at startup
- TestResourceEnvVarParsing: Resource env var parsing and override behavior

Also update manifest run_manifest.go:
- Add nonce-based filename support to WriteToDir
- Add nonce-based file detection to LoadFromDir
 2026-02-23 20:25:26 -05:00
Jeremie Fraeys
f71352202e
test(phase-1-2): naming alignment and partial test completion 
Rename and enhance existing tests to align with coverage map:
- TestGPUDetectorAMDVendorAlias -> TestAMDAliasManifestRecord
- TestScanArtifacts_SkipsKnownPathsAndLogs -> TestScanExclusionsRecorded
- Add env var expansion verification to TestHIPAAValidation_InlineCredentials
- Record exclusions in manifest.Artifacts for audit trail
 2026-02-23 20:25:07 -05:00
Jeremie Fraeys
b33c6c4878
test(security): Add PHI denylist tests to secrets validation 
Add comprehensive PHI detection tests:
- patient_id rejection
- ssn rejection
- medical_record_number rejection
- diagnosis_code rejection
- Mixed secrets with PHI rejection
- Normal secrets acceptance (HF_TOKEN, WANDB_API_KEY, etc.)

Ensures AllowedSecrets PHI denylist validation works correctly
across all PHI pattern variations.

Part of: PHI denylist validation from security plan
 2026-02-23 19:44:33 -05:00
Jeremie Fraeys
17d5c75e33
fix(security): Path validation improvements for symlink resolution 
Fix ValidatePath to correctly resolve symlinks and handle edge cases:
- Resolve symlinks before boundary check to prevent traversal
- Handle macOS /private prefix correctly
- Add fallback for non-existent paths (parent directory resolution)
- Double boundary checks: before AND after symlink resolution
- Prevent race conditions between check and use

Update path traversal tests:
- Correct test expectations for "..." (three dots is valid filename, not traversal)
- Add tests for symlink escape attempts
- Add unicode attack tests
- Add deeply nested traversal tests

Security impact: Prevents path traversal via symlink following in artifact
scanning and other file operations.
 2026-02-23 19:44:16 -05:00
Jeremie Fraeys
58c1a5fa58
feat(audit): Tamper-evident audit chain verification system 
Add ChainVerifier for cryptographic audit log verification:
- VerifyLogFile(): Validates entire audit chain integrity
- Detects tampering at specific event index (FirstTampered)
- Returns chain root hash for external verification
- GetChainRootHash(): Standalone hash computation
- VerifyAndAlert(): Boolean tampering detection with logging

Add audit-verifier CLI tool:
- Standalone binary for audit chain verification
- Takes log path argument and reports tampering

Update audit logger for chain integrity:
- Each event includes sequence number and hash chain
- SHA-256 linking: hash_n = SHA-256(prev_hash || event_n)
- Tamper detection through hash chain validation

Add comprehensive test coverage:
- Empty log handling
- Valid chain verification
- Tampering detection with modification
- Root hash consistency
- Alert mechanism tests

Part of: V.7 audit verification from security plan
 2026-02-23 19:43:50 -05:00
Jeremie Fraeys
a8180f1f26
feat(security): HIPAA compliance mode and PHI denylist validation 
Add compliance_mode field to Config with strict HIPAA validation:
- Requires SnapshotStore.Secure=true in HIPAA mode
- Requires NetworkMode="none" for tenant isolation
- Requires non-empty SeccompProfile
- Requires NoNewPrivileges=true
- Enforces credentials via environment variables only (no inline YAML)

Add PHI denylist validation for AllowedSecrets:
- Blocks secrets matching patterns: patient, ssn, mrn, medical_record,
  diagnosis, dob, birth, mrn_number, patient_id, patient_name
- Prevents accidental PHI exfiltration via secret channels

Add comprehensive test coverage in hipaa_validation_test.go:
- Network mode enforcement tests
- NoNewPrivileges requirement tests
- Seccomp profile validation tests
- Inline credential rejection tests
- PHI denylist validation tests

Closes: compliance_mode, PHI denylist items from security plan
 2026-02-23 19:43:19 -05:00
Jeremie Fraeys
fccced6bb3
test(security): add comprehensive security unit tests 
Adds 13 security tests across 4 files for hardening verification:

**Path Traversal Tests (path_traversal_test.go):**
- TestSecurePathValidator_ValidRelativePath
- TestSecurePathValidator_PathTraversalBlocked
- TestSecurePathValidator_SymlinkEscape
- Tests symlink resolution and path boundary enforcement

**File Type Validation Tests (filetype_test.go):**
- TestValidateFileType_AllowedTypes
- TestValidateFileType_DangerousTypesBlocked
- TestValidateModelFile
- Tests magic bytes validation and dangerous extension blocking

**Secrets Management Tests (secrets_test.go):**
- TestExpandSecrets_BasicExpansion
- TestExpandSecrets_NestedAndMissingVars
- TestValidateNoPlaintextSecrets_HeuristicDetection
- Tests env variable expansion and plaintext secret detection with entropy

**Audit Logging Tests (audit_test.go):**
- TestAuditLogger_ChainIntegrity
- TestAuditLogger_VerifyChain
- TestAuditLogger_LogFileAccess
- TestAuditLogger_Disabled
- Tests tamper-evident chain hashing and file access logging
 2026-02-23 18:00:45 -05:00