Skip to content

Latest commit

 

History

History
136 lines (106 loc) · 9.06 KB

mitigations.md

File metadata and controls

136 lines (106 loc) · 9.06 KB

Mitigation Strategies Analysis for airbnb/okreplay

Mitigation Strategy: Tape Sanitization and Redaction (via OkReplay Interceptors)

1. Mitigation Strategy: Tape Sanitization and Redaction (via OkReplay Interceptors)

  • Description:

    1. Identify Sensitive Data: Create a comprehensive, documented list of all sensitive data types potentially present in requests/responses (API keys, tokens, PII, etc.).
    2. Implement OkReplay Interceptors: Utilize OkReplay's Interceptor interface. Create custom interceptor classes that hook into the request/response recording process.
    3. Redaction Logic (Within Interceptors):
      • Request Headers: Iterate through headers; redact/replace sensitive header values (e.g., Authorization, Cookie).
      • Request Bodies: Parse the body (JSON, XML, etc.); redact/replace sensitive values based on keys or patterns. Use regex for plain text.
      • Response Headers: Redact sensitive headers.
      • Response Bodies: Parse and redact sensitive data.
      • Consistent Placeholders: Use placeholders like [REDACTED_API_KEY] to clearly indicate redactions.
      • (Optional) Hashing: Consider hashing some values instead of full redaction (but be aware of rainbow table risks).
    4. Configuration-Driven Rules: Store redaction rules (patterns, keys) in a separate configuration file for easy management without code changes.
    5. Thorough Testing: Rigorously test the sanitization with diverse inputs to ensure complete and accurate redaction.
    6. Regular Review: Regularly review and update sanitization rules as the application and its API interactions evolve.

  • Threats Mitigated:

    • Sensitive Data Exposure in Tapes (Severity: High): Prevents leakage of credentials, PII, etc., if tapes are mishandled.
    • Compliance Violations (Severity: High): Helps meet compliance requirements (GDPR, CCPA, PCI DSS) by preventing insecure storage of sensitive data.

  • Impact:

    • Sensitive Data Exposure: Risk significantly reduced (High to Low with proper implementation).
    • Compliance Violations: Risk significantly reduced (High to Low, if all required data is sanitized).

  • Currently Implemented:

    • Partially implemented (e.g., in src/test/java/com/example/MyServiceTest.java). Basic Authorization header redaction exists.

  • Missing Implementation:

    • Comprehensive body redaction (request and response).
    • Configuration-driven redaction rules.
    • Formalized regular review process.
    • Hashing is not used.
    • Sanitization is not consistently applied across all OkReplay-using tests.

Mitigation Strategy: Strategic Use of MatchRules

2. Mitigation Strategy: Strategic Use of MatchRules

  • Description:

    1. Avoid Overly Broad Matching: Do not rely solely on basic MatchRules like MatchRule.method().
    2. Combine Specific Rules: Use a combination of MatchRules to precisely match requests:
      • MatchRule.method(): Match the HTTP method (GET, POST, etc.).
      • MatchRule.uri(): Match the request URI (or a pattern using regex).
      • MatchRule.headers(): Match specific request headers and their values (important for authentication, content type, etc.).
      • MatchRule.body(): Match the request body content (crucial for POST/PUT requests). Use with caution and consider partial matching if the body contains dynamic data.
    3. MatchRule.times(n): Use MatchRule.times(n) to limit how many times a tape can be replayed. This forces re-recording after n uses, helping detect API drift.
    4. Custom MatchRule (Advanced): For complex scenarios, create custom MatchRule implementations to define highly specific matching logic. This allows for handling non-deterministic elements or ignoring specific parts of a request/response.

  • Threats Mitigated:

    • Over-Reliance on Mocked Data (Severity: Medium): Encourages more comprehensive testing by requiring more specific matching.
    • Non-Deterministic Behavior Masking (Severity: Medium): Precise matching helps reveal inconsistencies caused by non-deterministic elements.
    • Outdated Tapes (Severity: Medium): MatchRule.times(n) helps detect when tapes are no longer valid.

  • Impact:

    • Over-Reliance on Mocked Data: Risk reduced (Medium to Low).
    • Non-Deterministic Behavior Masking: Risk reduced (Medium to Low).
    • Outdated Tapes: Risk reduced (Medium to Low).

  • Currently Implemented:

    • Basic MatchRules are used, but often not precise enough.

  • Missing Implementation:

    • Consistent use of combined, specific MatchRules across all tests.
    • Widespread use of MatchRule.times(n).
    • Custom MatchRule implementations are not present.

Mitigation Strategy: Tape Checksumming (via OkReplay Listeners/Interceptors)

3. Mitigation Strategy: Tape Checksumming (via OkReplay Listeners/Interceptors)

  • Description:

    1. Checksum Generation (Post-Sanitization): After a tape is sanitized, generate a cryptographic checksum (e.g., SHA-256) of the tape file. This can be done within an OkReplay Interceptor or a custom Listener.
    2. Checksum Storage: Store the checksum:
      • In a separate file (e.g., my_tape.json.sha256).
      • In a metadata file.
      • (Ideally) Within a secrets management service, if used for tape storage.
    3. Checksum Verification (Pre-Playback): Before OkReplay uses a tape, verify its integrity:
      • Read the stored checksum.
      • Calculate the checksum of the current tape file (again, within an Interceptor or Listener).
      • Compare the calculated checksum with the stored checksum.
      • If they do not match, throw an exception or otherwise prevent the test from running. This signals tape tampering.
    4. Integration: Integrate this process seamlessly into the OkReplay setup, so it happens automatically for all tapes.

  • Threats Mitigated:

    • Tape Tampering (Severity: Medium): Detects unauthorized modifications to tapes.
    • Masking of Vulnerabilities (Severity: Medium): Ensures tests run against the intended recorded interactions.

  • Impact:

    • Tape Tampering: Risk significantly reduced (Medium to Low).
    • Masking of Vulnerabilities: Risk significantly reduced (Medium to Low).

  • Currently Implemented:

    • Not implemented.

  • Missing Implementation:

    • All aspects: checksum generation, storage, and verification within the OkReplay workflow.

Mitigation Strategy: Configure OkReplay for Test-Only Usage

4. Mitigation Strategy: Configure OkReplay for Test-Only Usage

  • Description:

    1. Conditional OkReplay Initialization: Wrap the OkReplay setup code (creating the OkReplayConfig, OkReplayRule, etc.) within a conditional block that checks for a test environment. This prevents accidental inclusion in production code. Example (using a system property):

      if (System.getProperty("env.type", "prod").equals("test")) {
    // OkReplay setup code here...
    OkReplayConfig config = new OkReplayConfig.Builder()
        // ... configuration ...
        .build();
    okReplayRule = new OkReplayRule(config);
}

    2. Build System Integration: Ensure your build system (Maven, Gradle, etc.) sets the appropriate environment variable (e.g., env.type=test) only during test execution. This prevents OkReplay from being initialized in production builds.

    3. Fail-Fast: If, for some reason, OkReplay is initialized in a non-test environment, make it fail immediately and conspicuously. This prevents any recording or playback from happening.

  • Threats Mitigated:

    • Accidental Production Use (Severity: High): Prevents OkReplay from being used in production, which could expose sensitive data or disrupt live services.
    • Misuse for Replay Attacks (Severity: Low): Reduces the likelihood of OkReplay being misused, although network isolation is a stronger mitigation for this.

  • Impact:

    • Accidental Production Use: Risk eliminated (High to None).
    • Misuse for Replay Attacks: Risk reduced (Low to Very Low).

  • Currently Implemented:

    • Partially implemented. OkReplay initialization is in test classes, but there isn't a robust, environment-based check.

  • Missing Implementation:

    • A reliable, environment-based conditional check for OkReplay initialization.
    • Integration with the build system to ensure the correct environment variable is set during testing.
    • Fail-fast mechanism if OkReplay is initialized in a non-test environment.