Security audit β 2026-06-09#45
Open
versila22 wants to merge 1 commit into
Open
Conversation
β¦-05-19) First automated pentest report. Findings: C=0 H=3 M=4 L=3 Info=2. Top issues: react-router open redirect (H), JWT in sessionStorage Safari fallback (H), .orig file with localStorage token pattern in git (H).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pentest mini-report β versila22/lima-app β 2026-06-09
Probed URL: https://limaimpro.duckdns.org/
Stack: React 18 + Vite / npm / PWA=yes (vite-plugin-pwa, workbox, autoUpdate)
Counts: Critical=0 High=3 Medium=4 Low=3 Info=2
Findings
src/lib/api.ts:42-53.origbackup file with localStorage token storage committed to gitsrc/lib/api.ts.orig:22-33//-prefixed path (CVE GHSA-2j2x-hqr9-3h42)node_modules/react-routerv6 <6.30.4dangerouslySetInnerHTMLinjects CSS from chart config into DOMsrc/components/ui/chart.tsx:70vite.config.tsworkbox globPatternsstyle-src 'unsafe-inline'weakens XSS mitigationnginx.conf:18node_modules/serialize-javascript(workbox-build dep)SecureorSameSiteflagssrc/components/ui/sidebar.tsx:68Cache-Control: no-storeon auth API responses β needs server-side check.env.productionand.env.developmentcommitted to git (contain VITE_API_URL only β no secrets currently, but sets bad precedent).env.production,.env.developmentpackage.jsondevDependenciesTop 3 fixes
react-router-domto β₯6.30.4 (npm install react-router-dom@latest)..origfile in git βgit rm src/lib/api.ts.origand purge from history withgit filter-repoto remove the old localStorage token pattern.Evidence (Critical/High only)
H1 β JWT in sessionStorage
src/lib/api.ts:42-53,src/contexts/AuthContext.tsx:73-76const _SESSION_KEY = "lima_access_token"; sessionStorage.setItem(_SESSION_KEY, token);H2 β
.origbackup with localStorage token pattern committedsrc/lib/api.ts.orig:22-33(tracked by git: confirmed viagit ls-files)const TOKEN_KEY = "lima_token"; localStorage.getItem(TOKEN_KEY); localStorage.setItem(TOKEN_KEY, token);git rm src/lib/api.ts.orig && git filter-repo --path src/lib/api.ts.orig --invert-pathsH3 β react-router open redirect
node_modules/react-router<6.30.4 (GHSA-2j2x-hqr9-3h42)<Navigate to="//attacker.example" />oruseNavigate()("//attacker.example")β browser reinterprets as protocol-relative URL.npm install react-router-dom@latest(β₯6.30.4).Verified safe
.env.productioncontains only public VITE_API_URL, not keys)limaimpro.duckdns.org, localhost variants) withallow_credentials=Trueβ no wildcard reflectionmax-age=31536000; includeSubDomains) on both nginx and backend middlewareX-Frame-Options: DENYandframe-ancestors 'none'in CSP β clickjacking protectedX-Content-Type-Options: nosniffpresentdangerouslySetInnerHTMLin chart.tsx uses only hardcoded dev-time config (CSS color strings), not server datavalidate_jwt_secretvalidator)eval()ordocument.write()in sourcerehype-rawβ no HTML passthrough riskNeeds server-side verification
HttpOnly,Secure,SameSite=Strict/Lax) on auth cookies set by FastAPI backend (Railway-hosted, not audited here)Cache-Control: no-storeon/auth/*and/api/*responses from backend/auth/login(slowapi present in backend, thresholds not reviewed)default-src 'none'for API β verify in prod response)VITE_SENTRY_DSNbaked into bundle at build time β confirm it is intentionally public or rotate if leakedTools
ran=npm-audit, curl-headers, curl-cors, curl-sensitive-file-probe, openssl-tls; skipped=none
Generated by Claude Code