diff --git a/security/pentest-2026-06-16.md b/security/pentest-2026-06-16.md new file mode 100644 index 0000000..2c7d6b6 --- /dev/null +++ b/security/pentest-2026-06-16.md @@ -0,0 +1,60 @@ +# Pentest mini-report — versila22/lima-app — 2026-06-16 + +**Probed URL:** https://limaimpro.duckdns.org/ +**Stack:** React 18 + Vite 7 / npm / PWA=yes (vite-plugin-pwa, workbox autoUpdate) +**Backend:** FastAPI (Python) on Railway · nginx SPA proxy in Docker +**Counts:** Critical=0 High=2 Medium=1 Low=2 Info=1 + +## Findings + +| Sev | Cat | Title | Location | +|---|---|---|---| +| High | DAST | CSP style-src unsafe-inline | nginx.conf:12 | +| High | SCA | vitest <3.2.6 — arbitrary file read/execute via UI server (GHSA-5xrq-8626-4rwp) | package.json / vitest@3.2.4 (devDep) | +| Medium | SCA | react-router 6.30.3 open redirect via `//`-prefixed path (GHSA-2j2x-hqr9-3h42) | package.json / react-router@6.30.3 | +| Low | SAST | JWT access token stored in sessionStorage (Safari cross-origin cookie workaround) | src/lib/api.ts:45 | +| Low | Info | Leftover dev artifacts committed to repo (api.ts.orig, api_upload.patch) | src/lib/api.ts.orig, src/lib/api_upload.patch | +| Info | Infra | Default FRONTEND_URL (`improv-cabaret-planner.lovable.app`) injected into CORS allowlist when env var is unset | backend/app/config.py:36 | + +## Top 3 fixes +1. **CSP unsafe-inline style-src** — Replace `'unsafe-inline'` with CSS hashes/nonces or move to external stylesheets to prevent CSS injection. +2. **react-router open redirect** — Upgrade `react-router-dom` to ≥6.30.4 (already near the boundary — single patch bump). +3. **vitest devDep** — Upgrade `vitest` to ≥3.2.6; the Vitest UI server (`vitest --ui`) should never be exposed on a shared/CI host. + +## Evidence (Critical/High only) + +**CSP unsafe-inline style-src** · nginx.conf:12 +``` +style-src 'self' 'unsafe-inline'; +``` +Allows attacker-controlled inline `