SkyMoney/tests-results-for-OWASP/A08-Software-and-Data-Integrity-Failures.md

A08: Software and Data Integrity Failures

Last updated: March 1, 2026

Findings addressed

1. Backup/restore workflow did not verify backup artifact integrity before restoring.
2. Restores could proceed with tampered/corrupted dump files, risking silent data corruption.

Fixes implemented

1. Added checksum artifact generation during backups:

• scripts/backup.sh now generates a SHA-256 checksum file next to each dump (.sha256).

2. Added checksum verification before restore:

• scripts/restore.sh now requires ${BACKUP_FILE}.sha256.
• Validates checksum format (64 hex chars).
• Computes runtime SHA-256 of backup file and blocks restore on mismatch.

Files changed

1. scripts/backup.sh
2. scripts/restore.sh
3. api/tests/software-data-integrity-failures.test.ts
4. api/vitest.security.config.ts

Verification

Command:

cd api
npx vitest run -c vitest.security.config.ts tests/software-data-integrity-failures.test.ts

Verified output:

• Test Files: 1 passed (1)
• Tests: 2 passed (2)

Dedicated A08 checks in software-data-integrity-failures.test.ts:

1. Executes scripts/backup.sh with stubbed pg_dump and verifies dump + .sha256 artifact generation.
2. Executes scripts/restore.sh with tampered checksum and verifies restore is blocked before DB commands are invoked.

Residual notes

1. This secures backup artifact integrity in operational scripts.
2. For CI/CD artifact integrity hardening, next step is attestation/signature verification for deployed build artifacts.