Skip to content

Security: Hydepwns/raxol

Security

docs/security.md

Security Guide

Documentation > Security

Enterprise-grade security features for terminal applications.

Quick Start

# Enable security features
config :raxol, :security,
  input_validation: :strict,
  sandbox_mode: true,
  audit_logging: true,
  encryption: :aes_256_gcm

Input Validation

Sanitization

# Automatic input sanitization
Raxol.Security.sanitize_input(user_input)

# Command injection prevention
{:ok, safe_cmd} = Raxol.Security.validate_command(cmd)
{:error, :unsafe} = Raxol.Security.validate_command("rm -rf /")

# Path traversal prevention  
{:ok, safe_path} = Raxol.Security.validate_path(path)
{:error, :traversal} = Raxol.Security.validate_path("../../../etc/passwd")

Schema Validation

schema = %{
  username: {:string, max_length: 30, pattern: ~r/^[a-zA-Z0-9_]+$/},
  email: {:string, format: :email},
  age: {:integer, min: 0, max: 120}
}

case Raxol.Security.validate(input, schema) do
  {:ok, clean_data} -> process(clean_data)
  {:error, errors} -> handle_errors(errors)
end

Sandbox Execution

Process Isolation

# Run in sandbox
{:ok, result} = Raxol.Sandbox.execute(fn ->
  untrusted_code()
end, 
  timeout: 5000,
  memory_limit: 100_000_000,  # 100MB
  allowed_modules: [String, Enum]
)

# Restricted PTY
{:ok, pty} = Raxol.Terminal.spawn_sandboxed("/bin/sh",
  readonly_fs: true,
  no_network: true,
  allowed_commands: ["ls", "cat", "echo"]
)

Authentication

Session Management

# Create secure session
{:ok, session} = Raxol.Auth.create_session(user,
  expires_in: :timer.hours(24),
  renewable: true,
  ip_locked: true
)

# Validate session
case Raxol.Auth.validate_session(token) do
  {:ok, user} -> authorize(user)
  {:error, :expired} -> redirect_to_login()
  {:error, :invalid} -> log_security_event()
end

Multi-Factor Auth

# Enable MFA
Raxol.Auth.enable_mfa(user, :totp)

# Verify TOTP code
{:ok, :verified} = Raxol.Auth.verify_totp(user, code)

# WebAuthn support
{:ok, credential} = Raxol.Auth.register_webauthn(user)

Encryption

Data Encryption

# Encrypt sensitive data
encrypted = Raxol.Crypto.encrypt(plaintext, key)
decrypted = Raxol.Crypto.decrypt(encrypted, key)

# Key derivation
key = Raxol.Crypto.derive_key(password, salt,
  iterations: 100_000,
  length: 32
)

Secure Communication

# TLS configuration
config :raxol, :tls,
  versions: [:"tlsv1.3", :"tlsv1.2"],
  ciphers: :strong,
  verify: :verify_peer,
  fail_if_no_peer_cert: true

Audit Logging

Security Events

# Automatic audit logging
Raxol.Audit.log(:authentication, %{
  user: user_id,
  action: :login,
  ip: client_ip,
  success: true
})

# Query audit log
events = Raxol.Audit.query(
  user: user_id,
  from: ~U[2024-01-01 00:00:00Z],
  actions: [:login, :logout]
)

Compliance

# GDPR compliance
Raxol.Privacy.anonymize_user(user_id)
Raxol.Privacy.export_user_data(user_id)
Raxol.Privacy.delete_user_data(user_id)

# SOC2 reporting
report = Raxol.Compliance.generate_soc2_report(
  period: :last_quarter
)

Access Control

Role-Based Access

# Define roles
Raxol.RBAC.define_role(:admin, [
  :read_all,
  :write_all,
  :delete_all
])

Raxol.RBAC.define_role(:user, [
  :read_own,
  :write_own
])

# Check permissions
if Raxol.RBAC.can?(user, :delete_all) do
  delete_resource()
end

Resource Policies

defmodule DocumentPolicy do
  use Raxol.Policy
  
  def can?(:read, user, document) do
    document.owner_id == user.id or
    user.role == :admin or
    document.public?
  end
  
  def can?(:write, user, document) do
    document.owner_id == user.id and
    not document.locked?
  end
end

Vulnerability Protection

Common Attacks

# XSS prevention (for web interface)
safe_html = Raxol.Security.escape_html(user_content)

# SQL injection (if using SQL)
{:ok, result} = Raxol.Query.parameterized(
  "SELECT * FROM users WHERE id = ?",
  [user_id]
)

# CSRF protection
token = Raxol.Security.generate_csrf_token()
Raxol.Security.verify_csrf_token(token)

Rate Limiting

# Configure rate limits
config :raxol, :rate_limit,
  login_attempts: {5, :timer.minutes(15)},
  api_calls: {100, :timer.seconds(60)},
  commands: {10, :timer.seconds(1)}

# Check rate limit
case Raxol.RateLimit.check(:login, user_ip) do
  :ok -> process_login()
  {:error, :rate_limited} -> {:error, "Too many attempts"}
end

Testing Security

defmodule SecurityTest do
  use Raxol.SecurityCase
  
  test "prevents command injection" do
    assert {:error, _} = execute_command("ls; rm -rf /")
  end
  
  test "validates input" do
    assert {:error, _} = process_input("<script>alert(1)</script>")
  end
  
  test "enforces permissions" do
    user = create_user(role: :user)
    assert {:error, :forbidden} = admin_action(user)
  end
end

Configuration

config :raxol, :security,
  # Input validation
  input_validation: :strict,
  max_input_length: 10_000,
  
  # Sandbox
  sandbox_enabled: true,
  sandbox_timeout: 5000,
  
  # Encryption
  encryption_algorithm: :aes_256_gcm,
  key_rotation_days: 90,
  
  # Audit
  audit_enabled: true,
  audit_retention_days: 90,
  
  # Rate limiting
  rate_limiting: true,
  
  # Session
  session_timeout: :timer.hours(24),
  session_renewal: true

See Also

There aren’t any published security advisories