netspeed-cli 0.10.2

Command-line interface for testing internet bandwidth using speedtest.net
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210

# Security Audit Report

This document provides a comprehensive security audit framework for netspeed-cli. It documents the threat model, attack surface, existing security controls, and testing procedures.

## Threat Model

### Assumptions

1. **Network Communication**: All network traffic is untrusted. The CLI communicates exclusively with speedtest.net infrastructure.
2. **Local File System**: The system running the CLI is trusted. A local attacker would have full access to the tool's data.
3. **No Sensitive Data**: The tool does not store secrets, API keys, or credentials.
4. **User Environment**: The CLI runs in a standard terminal environment with user-level permissions.

### Assets to Protect

| Asset | Classification | Protection Required |
|-------|---------------|---------------------|
| Test results history | PII (IP addresses) | File permissions, no transmission |
| Config file | User preference | File permissions |
| TLS configuration | Security-critical | Certificate validation |
| Network traffic | Security-critical | TLS encryption |

### Attack Surface

#### Network Attack Vectors

1. **Man-in-the-Middle (MITM)**: An attacker intercepting traffic to speedtest.net servers.
2. **DNS Spoofing**: An attacker redirecting traffic to a malicious server.
3. **TLS Downgrade**: An attacker forcing a weaker TLS version.
4. **Certificate Forgery**: An attacker presenting a forged certificate.

#### Input Attack Vectors

1. **Server URL Injection**: Malicious server URLs from the speedtest.net XML feed.
2. **Config File Injection**: Malicious configuration values.
3. **CLI Argument Injection**: Malicious command-line arguments.

#### Output Attack Vectors

1. **Log Injection**: Malicious data in logs (if stdout is parsed by other tools).
2. **JSON/CSV Injection**: Malicious data in machine-readable output.

## Security Controls

### Transport Layer Security

| Control | Implementation | Status |
|---------|---------------|--------|
| TLS 1.3 support | `rustls` v0.23 | ✅ Implemented |
| TLS 1.2 support | `rustls` v0.23 | ✅ Implemented |
| Domain-restricted TLS | `PinningVerifier` wrapper around rustls webpki validation | ✅ Implemented |
| Custom CA support | `--ca-cert` flag | ✅ Implemented |
| Root CA trust store | `webpki-roots` | ✅ Implemented |

### Input Validation

| Control | Implementation | Status |
|---------|---------------|--------|
| Server URL normalization | `endpoints.rs` | ✅ Implemented |
| IP address validation | `common::is_valid_ipv4()` | ✅ Implemented |
| Config file validation | `config.rs::validate_config()` | ✅ Implemented |
| CSV delimiter validation | `config.rs::validate_csv_delimiter_config()` | ✅ Implemented |

### File System Security

| Control | Implementation | Status |
|---------|---------------|--------|
| History file permissions | `0o600` (Unix only) | ✅ Implemented |
| Atomic file writes | Temp file + rename | ✅ Implemented |
| Backup rotation | `.bak` and `.corrupt` files | ✅ Implemented |

### Dependency Security

| Control | Implementation | Status |
|---------|---------------|--------|
| Dependency audit | `cargo-deny` in CI | ✅ Implemented |
| License audit | `cargo-deny` in CI | ✅ Implemented |
| Advisory database | RUSTSEC | ✅ Configured |
| Lock file committed | `Cargo.lock` | ✅ Required |

## Testing Procedures

### Static Analysis

```bash
# Run clippy with all lints enabled
cargo clippy --all-targets --all-features -- -D warnings

# Check formatting
cargo fmt -- --check

# Check for unsafe code
cargo geiger

# Check for dependency updates
cargo outdated
```

### Security Testing

```bash
# Run cargo-deny security audit
cargo deny check

# Check for vulnerabilities
cargo audit

# Check for unmaintained dependencies
cargo audit --fetch-index
```

### Fuzz Testing

```bash
# Run fuzz tests (requires corpus)
cargo fuzz run parse_ip_from_xml
cargo fuzz run parse_server_url
```

### Integration Testing

```bash
# Run all integration tests
cargo test --test integration_test

# Run mock network tests
cargo test --test mock_network_test -- --ignored --nocapture

# Run socket-binding tests
cargo test --test e2e_test -- --ignored --nocapture
```

## Known Security Considerations

### Domain-restricted TLS (`--pin-certs`)

The `--pin-certs` option is intentionally implemented as domain-restricted TLS rather than raw certificate-hash pinning. This means:

- ✅ Only connections to `*.speedtest.net` and `*.ookla.com` are allowed
- ✅ The normal rustls/webpki certificate chain, validity, and hostname checks still run
- ✅ The custom verifier delegates TLS signature verification to rustls
- ⚠️ It does not pin SPKI/certificate hashes because speedtest.net server certificates are operationally rotated

If stable SPKI pins become available, add them only after normal webpki verification succeeds.

### No TLS Certificate Revocation

The current implementation does not check certificate revocation lists (CRL) or use OCSP stapling. This is a known limitation for a CLI tool where:
- Certificate lifetime is typically short
- CRL distribution points may not be accessible
- Speedtest.net infrastructure uses certificates from major CAs

### History File Contains IP Addresses

Test results include the client's IP address. While this data stays local, users should be aware:
- History files are created with `0o600` permissions on Unix
- The data is not transmitted to any server other than speedtest.net
- Users can disable history saving by using `--json` or `--csv` output

## Vulnerability Disclosure

If you discover a security vulnerability, please report it responsibly:

1. **Do not** open a public GitHub issue for security-related concerns.
2. Open a [GitHub Security Advisory](https://github.com/mapleDevJS/netspeed-cli/security/advisories/new).
3. Include as much detail as possible:
   - Description of the vulnerability
   - Steps to reproduce
   - Potential impact
   - Suggested fix (if available)

Response time: Within 48 hours for initial acknowledgment.

## Security Audit Schedule

| Frequency | Activity |
|-----------|----------|
| Per-PR | `cargo clippy`, `cargo fmt --check`, `cargo deny check` |
| Per-merge | `cargo audit`, dependency review |
| Monthly | Full security review, dependency update check |
| Quarterly | Third-party security assessment |

## Appendix: Security-related Configuration

### TLS Version Configuration

```toml
# config.toml
tls_version = "1.3"  # Require TLS 1.3 (or use 1.2)
```

### Domain-restricted TLS

```bash
# Add speedtest.net/ookla.com domain restriction on top of normal TLS validation
netspeed-cli --pin-certs

# Use custom CA certificate
netspeed-cli --ca-cert /path/to/ca.pem
```

### Network Security

```bash
# Set HTTP timeout (affects TLS handshake timeout)
netspeed-cli --timeout 30

# Bind to specific source IP
netspeed-cli --source 192.168.1.100
```