Security audit β 2026-06-14#62
Open
versila22 wants to merge 1 commit into
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pentest mini-report β versila22/lima-app β 2026-06-14
Probed URL: https://limaimpro.duckdns.org/
Stack: React 18 + Vite / npm / PWA=yes (VitePWA autoUpdate, workbox NetworkFirst on API) + Python FastAPI backend
Counts: Critical=0 High=1 Medium=2 Low=1 Info=3
Findings
backend/app/main.py:54package.json(devDeps)style-src 'unsafe-inline'β allows injected inline stylesnginx.conf:16/health/dband/health/migrationsleak DB URL prefix + migration tracebacksbackend/app/main.py:211β237vite.config.ts:55β70limaimpro.duckdns.org:443Top 3 fixes
_SEED_MEMBERSwith hashed values or move seed to a CLI command using env-injected credentials; rotate theAdmin1234!password immediately if seeded in production.npm audit fixor pinvitest β₯ 3.x,vite β₯ 6.3.4,esbuild β₯ 0.25.3; these don't affect the production bundle but compromise CI/build environments.'unsafe-inline'instyle-srcwith a nonce or hash; Tailwind's JIT/purge output is already static β no dynamic inline styles needed in production.Evidence (Critical/High only)
[High] Hardcoded admin credentials β
backend/app/main.py:54Impact: Anyone with read access to the repo obtains the production admin password; if seeded into prod, immediate admin-level account takeover possible.
Fix: Remove plaintext passwords from source; seed via
SEED_ADMIN_PASSWORDenv var or a one-time CLI script; rotate credentials if already seeded to prod.Verified safe
dangerouslySetInnerHTML,innerHTML=, oreval()usage in frontend sourceallow_credentials=Trueβ correctly restrictedsettings.is_developmentguard).env.productioncontains only a non-sensitiveVITE_API_URLβ no secrets trackedNeeds server-side verification
Admin1234!/Password1!credentials have been changed in the live DB (or seed was never triggered in prod)/health/dband/health/migrationsendpoints are not publicly reachable without authentication in production (rate-limit or IP-restrict them)Tools
ran=npm-audit, grep-secrets, openssl-tls; skipped=curl-DAST (host_not_allowed from audit environment β Anthropic egress proxy blocks outbound to duckdns.org)
Generated by Claude Code