Security audit β 2026-06-10#46
Open
versila22 wants to merge 1 commit into
Open
Conversation
β¦-05-20) No prior reports to clean up (first run).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pentest mini-report β versila22/lima-app β 2026-06-10
Probed URL: https://limaimpro.duckdns.org/
Stack: React 18 + Vite 7 / npm (bun.lock also present) / PWA=yes (vite-plugin-pwa workbox, autoUpdate)
Counts: Critical=2 High=4 Medium=7 Low=5 Info=0
Findings
//prefix (GHSA-2j2x-hqr9-3h42) β react-router-dom ~6.30.1/health/migrationsleaks traceback + DB URL prefix, unauthenticated/assets/block drops all security headers (add_header inheritance gap)preloaddirectiveapi.ts.orig(localStorage token storage) committed to repolovable.appβ unintended cross-origin credential acceptanceimg-src https:in CSP is overly permissive (wildcard HTTPS origin)Top 3 fixes
85ac3f95ea5bb38cb2a4575909d12caein Cloudflare dashboard immediately; purge from git history withgit filter-reponpm update vitest react-router-dom(vitest β₯3.2.6, react-router-dom β₯6.30.4)X-Real-IPor last IP inX-Forwarded-Forchain rather than first (attacker-controlled) valueEvidence (Critical/High only)
C1 β R2 credentials in source
backend/scripts/_archive/migrate_local_to_r2.py:11-12aws_access_key_id="85ac3f95ea5bb38cb2a4575909d12cae", aws_secret_access_key="efaf5aab9b029..."git filter-repo --path backend/scripts/_archive/migrate_local_to_r2.py --invert-pathsand force-push all remotesC2 β vitest GHSA-5xrq-8626-4rwp (CVSS 9.8)
package.jsonβ vitest ~3.2.4 (fix: β₯3.2.6)"vitest": "^3.2.4"β missing auth check allows arbitrary file read/exec when UI server is listeningvitest --ui(CI runners, developer machines)npm update vitestH1 β JWT in sessionStorage
src/lib/api.ts:44-53,src/contexts/AuthContext.tsx:74-77sessionStorage.setItem(_SESSION_KEY, token)β bearer token stored as Safari cross-origin fallbackH2 β Hardcoded seed passwords
backend/app/main.py:54-62"password": "Admin1234!"(admin),"password": "Password1!"(8 members)H3 β react-router open redirect (GHSA-2j2x-hqr9-3h42)
package.jsonβ react-router-dom ~6.30.1 (fix: β₯6.30.4)//attacker.examplepath treated as protocol-relative URL by affected versions?next=//attacker.examplelinks if any app flow reads redirect target from query paramsnpm update react-router-domH4 β Rate limit X-Forwarded-For spoofing
backend/app/limiting.py:14-16X-Forwarded-Forread without trusted-proxy validation (first value is attacker-controlled)X-Real-IPor last hop inX-Forwarded-ForVerified safe
Needs server-side verification
X-Real-IPreliably (affects H4 fix approach)Tools
ran=npm-audit, grep-secrets, curl-headers, curl-cors, curl-sensitive-files, openssl-tls; skipped=none
Generated by Claude Code