Security Guide

Defense-in-depth protections built into the Everything App.

Security Architecture

The Everything App implements multiple layers of security to protect against common attack vectors in mobile/web applications.

🛡️ SSRF Prevention

URL scheme allowlisting and trusted host validation prevent server-side request forgery via malicious API responses.

💉 SQL Injection Prevention

All database queries use parameterized bindings (whereArgs). No string interpolation in SQL.

🔑 Credential Security

API keys loaded from environment variables via --dart-define. Never hardcoded in source.

🔐 Secure Storage

Sensitive data stored via flutter_secure_storage (Keychain on iOS, EncryptedSharedPreferences on Android).

SSRF Protection

Server-Side Request Forgery (SSRF) is a critical vulnerability where an attacker tricks the application into making requests to unintended URLs. This is particularly relevant when following pagination links from external APIs.

The Attack Vector

When fetching calendar events from Microsoft Graph, the API returns @odata.nextLink for pagination. A malicious or compromised API could set this to an internal URL:

// Malicious response
{
  "value": [...],
  "@odata.nextLink": "http://169.254.169.254/latest/meta-data/"  // ← Cloud metadata!
}
    

Our Defenses

1. Scheme Allowlist

HttpUtils._validateUrl() rejects any URL not using https:

// AppConstants.allowedSchemes = ['https']
// Blocks: http://, file://, ftp://, gopher://, etc.
    

2. Trusted Host Validation

Pagination URLs are validated against AppConstants.trustedApiHosts:

// Only these hosts are trusted for pagination:
static const trustedApiHosts = [
  'graph.microsoft.com',
  'api.example.com',
];

// First request: our own URL (trusted by construction)
// Subsequent requests: validated against trustedApiHosts
HttpUtils.getRequest(nextUrl, requireTrustedHost: page > 0);
    

3. Pagination Limit

GraphService._maxPages = 50 prevents infinite pagination loops from malformed responses.

SQL Injection Prevention

All database operations use sqflite's parameterized query API:

// ✅ Safe — parameterized binding
db.delete('events', where: 'id = ?', whereArgs: [id]);

// ❌ Vulnerable — never do this
db.rawDelete("DELETE FROM events WHERE id = '$id'");
    

Authentication Security

Firebase Auth handles credential storage, token refresh, and session management
AuthGate uses StreamBuilder on authStateChanges — state is always derived from Firebase, not from local variables
Error mapping — Firebase error codes are mapped to structured exceptions, preventing raw error messages from leaking to the UI
Password reset — uses Firebase's server-side email flow (no client-side token handling)

Dependency Security

Dependabot monitors dependencies for known vulnerabilities (daily checks)
CodeQL scans Dart code for security patterns on every push
Minimal dependencies — only essential packages are included to reduce attack surface

Reporting Vulnerabilities

If you discover a security vulnerability, please report it responsibly:

Do not open a public GitHub issue
Email the maintainer or use GitHub's private vulnerability reporting
Include: description, reproduction steps, impact assessment
Allow reasonable time for a fix before disclosure