copper-tone-tech/mev-beta
1
0
Fork 0
Code Issues Pull Requests 7 Actions Packages Projects Releases Wiki Activity
Files
65f0dc34f8e742f4f1681c5ed8ed8f712b69bbe0
mev-beta/orig/scripts/validate-security.sh
Administrator c54c569f30 refactor: move all remaining files to orig/ directory 
Completed clean root directory structure:
- Root now contains only: .git, .env, docs/, orig/
- Moved all remaining files and directories to orig/:
  - Config files (.claude, .dockerignore, .drone.yml, etc.)
  - All .env variants (except active .env)
  - Git config (.gitconfig, .github, .gitignore, etc.)
  - Tool configs (.golangci.yml, .revive.toml, etc.)
  - Documentation (*.md files, @prompts)
  - Build files (Dockerfiles, Makefile, go.mod, go.sum)
  - Docker compose files
  - All source directories (scripts, tests, tools, etc.)
  - Runtime directories (logs, monitoring, reports)
  - Dependency files (node_modules, lib, cache)
  - Special files (--delete)

- Removed empty runtime directories (bin/, data/)

V2 structure is now clean:
- docs/planning/ - V2 planning documents
- orig/ - Complete V1 codebase preserved
- .env - Active environment config (not in git)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-10 10:53:05 +01:00

242 lines
7.0 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# MEV Bot Security Validation Script
# This script performs basic security checks before deployment
set -e
echo "🔒 MEV Bot Security Validation"
echo "=============================="
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
# Function to print status
print_status() {
if [ $1 -eq 0 ]; then
echo -e "${GREEN}${NC} $2"
else
echo -e "${RED}${NC} $2"
exit 1
fi
}
print_warning() {
echo -e "${YELLOW}${NC} $1"
}
echo "1. Checking encryption key security..."
if [ -z "$MEV_BOT_ENCRYPTION_KEY" ]; then
echo -e "${RED}${NC} MEV_BOT_ENCRYPTION_KEY not set"
exit 1
fi
# Check key length
KEY_LENGTH=${#MEV_BOT_ENCRYPTION_KEY}
if [ $KEY_LENGTH -lt 32 ]; then
echo -e "${RED}${NC} Encryption key too short ($KEY_LENGTH chars, need 32+)"
exit 1
fi
# Check for weak keys
case "$MEV_BOT_ENCRYPTION_KEY" in
*test*|*demo*|*example*|*default*)
echo -e "${RED}${NC} Encryption key contains weak patterns"
exit 1
;;
"test123"|"password"|"123456789012345678901234567890")
echo -e "${RED}${NC} Encryption key is a known weak key"
exit 1
;;
esac
print_status 0 "Encryption key validation passed"
echo ""
echo "2. Checking file permissions..."
# Check keystore permissions
if [ -d "keystore" ]; then
KEYSTORE_PERMS=$(stat -c "%a" keystore)
if [ "$KEYSTORE_PERMS" != "700" ]; then
print_warning "Keystore permissions are $KEYSTORE_PERMS, should be 700"
chmod 700 keystore
print_status 0 "Fixed keystore permissions"
else
print_status 0 "Keystore permissions correct"
fi
fi
# Check .env file permissions
for env_file in .env .env.production .env.staging; do
if [ -f "$env_file" ]; then
ENV_PERMS=$(stat -c "%a" "$env_file")
if [ "$ENV_PERMS" != "600" ]; then
print_warning "$env_file permissions are $ENV_PERMS, should be 600"
chmod 600 "$env_file"
print_status 0 "Fixed $env_file permissions"
else
print_status 0 "$env_file permissions correct"
fi
fi
done
echo ""
echo "3. Checking for hardcoded secrets..."
# Look for potential hardcoded secrets (excluding vendor and config templates)
SECRET_PATTERNS=(
"password.*=.*[\"'].*[\"']"
"secret.*=.*[\"'].*[\"']"
"private.*key.*=.*[\"'].*[\"']"
"0x[a-fA-F0-9]{64}"
)
SECRETS_FOUND=0
for pattern in "${SECRET_PATTERNS[@]}"; do
# Exclude vendor directory, templates, and common config patterns
if grep -r -i "$pattern" --include="*.go" --include="*.yaml" --include="*.yml" . \
| grep -v -E "(vendor/|test|example|placeholder|YOUR_|TODO|\${|admin123|\.template)" \
| grep -v -E "(docker-compose\.|config\.|\.github/workflows/)" \
| grep -v -E "(crypto\.GenerateKey|crypto\.HexToECDSA|BasicPassword.*Getenv)" \
| grep -v -E "(Getenv.*PRIVATE_KEY|privateKeyStr.*:=)" \
| grep -v -E "(cmd/.*cli.*private-key|String.*private-key)" > /dev/null; then
echo -e "${RED}${NC} Found potential hardcoded secret: $pattern"
grep -r -i "$pattern" --include="*.go" --include="*.yaml" --include="*.yml" . \
| grep -v -E "(vendor/|test|example|placeholder|YOUR_|TODO|\${|admin123|\.template)" \
| grep -v -E "(docker-compose\.|config\.|\.github/workflows/)" \
| grep -v -E "(crypto\.GenerateKey|crypto\.HexToECDSA|BasicPassword.*Getenv)" \
| grep -v -E "(Getenv.*PRIVATE_KEY|privateKeyStr.*:=)" \
| grep -v -E "(cmd/.*cli.*private-key|String.*private-key)" \
| head -3
SECRETS_FOUND=1
fi
done
if [ $SECRETS_FOUND -eq 0 ]; then
print_status 0 "No hardcoded secrets detected"
fi
echo ""
echo "4. Running security tests..."
# Create required directories for tests
mkdir -p logs keystore test_keystore
# Run basic security tests
echo "Running Go security tests..."
if go test -short ./pkg/security/ > /dev/null 2>&1; then
print_status 0 "Security unit tests passed"
else
echo -e "${RED}${NC} Security unit tests failed"
exit 1
fi
# Test encryption key validation
echo "Testing encryption key validation..."
if echo 'package main
import (
"fmt"
"github.com/fraktal/mev-beta/pkg/security"
)
func main() {
config := &security.KeyManagerConfig{
EncryptionKey: "test123",
KeystorePath: "test_keystore",
}
if err := validateProductionConfig(config); err != nil {
fmt.Println("Validation correctly rejected weak key")
} else {
fmt.Println("ERROR: Weak key was accepted")
}
}' | go run -; then
print_status 0 "Encryption key validation working"
else
print_warning "Could not test encryption key validation"
fi
echo ""
echo "5. Checking build security..."
# Ensure binary is built with security flags
echo "Building with security flags..."
if CGO_ENABLED=0 go build -ldflags="-w -s" -o mev-bot-secure cmd/mev-bot/main.go; then
print_status 0 "Secure build completed"
# Check if binary is stripped
if which strip > /dev/null 2>&1; then
strip mev-bot-secure
print_status 0 "Binary stripped of debug symbols"
fi
else
echo -e "${RED}${NC} Secure build failed"
exit 1
fi
echo ""
echo "6. Checking network security..."
# Check if running as root (should not be)
if [ "$EUID" -eq 0 ]; then
echo -e "${RED}${NC} Running as root - this is not recommended for security"
exit 1
else
print_status 0 "Not running as root"
fi
# Check firewall status (if available)
if which ufw > /dev/null 2>&1; then
if ufw status | grep -q "Status: active"; then
print_status 0 "Firewall is active"
else
print_warning "Firewall (ufw) is not active"
fi
elif which iptables > /dev/null 2>&1; then
if iptables -L | grep -q "Chain INPUT"; then
print_status 0 "iptables firewall configured"
fi
fi
echo ""
echo "7. Generating security summary..."
# Create security summary
cat > security-validation-report.txt << EOF
MEV Bot Security Validation Report
Generated: $(date)
Environment: ${NODE_ENV:-development}
✓ Encryption key validation passed
✓ File permissions secured
✓ No hardcoded secrets detected
✓ Security tests passed
✓ Secure build completed
✓ Network security checked
Recommendations:
- Ensure all production deployments use strong encryption keys
- Regular security scans and updates
- Monitor logs for security events
- Backup encryption keys securely
- Regular security training for team
For detailed security procedures, see docs/SECURITY_PROCEDURES.md
EOF
print_status 0 "Security validation report generated: security-validation-report.txt"
echo ""
echo -e "${GREEN}🎉 Security validation completed successfully!${NC}"
echo ""
echo "Next steps:"
echo "1. Review security-validation-report.txt"
echo "2. Ensure monitoring is configured in production"
echo "3. Schedule regular security reviews"
echo "4. Run full security test suite: go test ./pkg/security/"
echo ""
# Clean up test binary
rm -f mev-bot-secure
Reference in New Issue View Git Blame Copy Permalink