pwsafe — Security Audits

See parent: pwsafe

External-model audits of the WebDAV transport plugin subsystem (webdav branch). All Critical and High findings have been fixed.

Audit log

• 2026-02-27 — OpenAI o3 — 4C/4H/3M/4L/4I — all critical+high fixed

• 2026-02-27 — OpenAI gpt-5.2 — 0C/4H/6M/4L/2I — all fixed

• 2026-02-27 — Self-review (Claude) — 0C/0H/1M/2L — all fixed

Source files in scope

src/os/unix/transport.cpp — plugin loader, scheme extraction, cache dir

src/os/unix/transport_lockd.cpp — lock daemon (fork/socketpair/IPC)

src/os/plugins/webdav/transport-webdav.cpp — libcurl WebDAV ops

src/os/plugins/file/transport-file.cpp — local file plugin

src/core/file.cpp — FOpen/FClose intercept

src/os/transport.h — PWSTransport ABI

Combined remediation table

C1 — Newline injection / text IPC protocol — Fixed — binary length-prefix protocol

C2 — Cache dir 0755 → symlink/disclosure — Fixed — chmod 0700

C3 — TOCTOU plugin load — Fixed — single fd + /proc/self/fd/N

C4 — Cross-protocol curl redirect — Fixed — PROTOCOLS_STR, FOLLOWLOCATION=0

H5 — Scheme '/' traversal — Fixed — RFC 3986 validation

H7 — Missing explicit SSL verify — Fixed — VERIFYPEER=1, VERIFYHOST=2

H8 — Unbounded lock response buffer — Fixed — 64 KB cap

H(g52) — recv_string unbounded len → child OOM — Fixed

M(g52) — No EINTR in send_all/recv_all — Fixed

M(g52) — OPTIONS probe missing curl hardening — Fixed

M(g52) — Cache file not forced to 0600 — Fixed

M(g52) — Plugin fd missing S_ISREG check — Fixed

M(sr) — socketpair missing SOCK_CLOEXEC — Fixed

L(g52) — ftell() unchecked; -1 to INFILESIZE — Fixed

L(g52) — Lock-Token / DAV: header case-sensitive — Fixed

L(sr) — header_cb DAV: check partially case-sensitive — Fixed

L(sr) — Parent URL guard inconsistent with child MAX_IPC_URL — Fixed

Known remaining limitations

• Cache filename collision (truncation without hash) — known limitation, not a security issue for single-user use

• Daemon crash is unrecoverable (EIO; user must reopen)

• libcurl post-fork state technically undefined (safe in practice)

version2
updated2026-02-27
children['pwsafe/security_audits/2026-02-27-o3', 'pwsafe/security_audits/2026-02-27-gpt52', 'pwsafe/security_audits/2026-02-27-self-review']