archy/docs/security-audit-2026-03-11.md

Monthly Security Audit — 2026-03-11

Scope

MAINT-02 monthly scan. Full audit of core/security/, core/archipelago/src/api/rpc/, nginx config, and frontend.

Findings Summary

Severity	Count	Fixed	Deferred
Critical	2	0	2 (known, architectural)
High	5	0	5 (known, requires design)
Medium	7	2	5
Low	6	0	6
Info	4	0	4

Fixes Applied This Cycle

MED-03: Shell injection in bitcoin.conf generation — FIXED

core/archipelago/src/api/rpc/package.rs — Replaced sh -c echo shell command with tokio::fs::write() to eliminate shell injection surface.

MED-07: No body size limit on /rpc/ endpoint — FIXED

image-recipe/configs/nginx-archipelago.conf — Added client_max_body_size 1m to /rpc/ location in both HTTP and HTTPS server blocks.

Known Issues (Deferred)

CRIT-01: Deterministic encryption key

Secrets encryption key derived from data directory path. Requires architectural redesign (Argon2 from user password or TPM-backed key). Tracked for v1.1.

CRIT-02: Hardcoded Bitcoin RPC password

archipelago123 shared across all deployments. Requires per-install random password generation and secrets manager integration. Tracked for v1.1.

HIGH-01 through HIGH-05

Known from FINAL-02 audit (2026-03-10). CSP hardening, HSTS, IP spoofing for rate limiting, Bitcoin RPC binding — all tracked for v1.1.

Dependency CVE Check

npm

• serialize-javascript ≤7.0.2 (GHSA-5c6j-r48x-rmvq): RCE via RegExp.flags — dev-only, no runtime impact
• rollup path traversal (GHSA-mw96-cpmx-2vgc): dev-only build tool
• No new runtime dependency CVEs

Cargo

• No new advisories affecting current pinned versions (checked cargo-audit equivalent)

Podman/Debian

• No critical Debian 12 security advisories for Podman 4.x since last scan
• Container base images using pinned versions (no :latest in production manifests)

Next Cycle

Due: 2026-04-11. Focus areas: CRIT-01 key derivation redesign, CSP tightening.