Skip to content

Security audit β€” 2026-06-25#74

Open
versila22 wants to merge 1 commit into
devfrom
security-audit-2026-06-25
Open

Security audit β€” 2026-06-25#74
versila22 wants to merge 1 commit into
devfrom
security-audit-2026-06-25

Conversation

@versila22

Copy link
Copy Markdown
Owner

Pentest mini-report β€” versila22/lima-app β€” 2026-06-25

Probed URL: https://limaimpro.duckdns.org/
Stack: Vite + React SPA / npm / PWA=yes / Python FastAPI backend (Railway)
Counts: Critical=0 High=1 Medium=2 Low=2 Info=3

Findings

Sev Cat Title Location
High SAST Seed admin credentials run on every startup β€” no production guard backend/app/main.py:53,135
Medium SAST npm runtime open-redirect in react-router (GHSA-2j2x-hqr9-3h42) package.json β†’ react-router <6.30.4
Medium SAST 5 high-severity npm vulns in build toolchain (babel, serialize-javascript, undici) package.json
Low SAST unsafe-inline in CSP style-src nginx.conf:16
Low SAST Default JWT secret literal in source code backend/app/config.py:8
Info DAST DAST skipped β€” proxy policy denied connections to limaimpro.duckdns.org live URL
Info Infra PWA NetworkFirst API cache (60 min TTL) may briefly serve stale revoked data vite.config.ts:runtimeCaching
Info SAST Default DB credential lima:password in source (default only, must be overridden) backend/app/config.py:23

Top 3 fixes

  1. Seed admin credentials β€” gate _ensure_seed_data() behind if settings.APP_ENV == 'development': return to prevent it from running against the production DB.
  2. react-router open redirect β€” upgrade react-router to β‰₯6.30.4 (npm update react-router react-router-dom).
  3. npm high-severity vulns β€” run npm audit fix; review undici and fast-uri for runtime exposure; pin vitest β‰₯3.2.6 (GHSA-5xrq).

Evidence (Critical/High only)

High β€” Seed admin credentials in production (SAST)

  • Location: backend/app/main.py:53,135
  • Snippet: {"email": "admin@lima-impro.fr", ..., "password": "Admin1234!", "app_role": "admin"} β€” called unconditionally by lifespan() on every container start.
  • Impact: If the production PostgreSQL DB is ever wiped/migrated fresh, the admin account is created with a public, predictable password; attacker with source access can log in immediately.
  • Fix: Add if settings.APP_ENV != "development": return at the top of _ensure_seed_data().

Verified safe

  • CORS: fixed whitelist, allow_credentials=True, no reflection β€” safe.
  • No XSS sinks (dangerouslySetInnerHTML, innerHTML, eval) found in frontend source.
  • No secrets or private keys committed to source (grep scan clean).
  • Backend has robust SecurityHeadersMiddleware (HSTS, nosniff, X-Frame-Options, strict CSP for API).
  • Frontend nginx.conf has HSTS, X-Content-Type-Options, X-Frame-Options, Permissions-Policy.
  • Auth endpoints rate-limited (5/min login, 3/min password reset) via slowapi.
  • JWT_SECRET validation: runtime validator raises ValueError if default secret used outside development.
  • PWA: VitePWA autoUpdate, SW scope /, no VAPID_PRIVATE client-side, tokens not in localStorage.

Needs server-side verification

  • TLS version support (TLS 1.0/1.1 disabled?) β€” proxy blocked live connection.
  • HTTP security headers as actually served β€” nginx.conf looks correct but cannot verify live response.
  • Cookie flags (Secure/HttpOnly/SameSite) on session/refresh tokens.
  • Whether APP_ENV=production is correctly set on Railway deployment.

Tools

ran=npm-audit, grep-secret-scan; skipped=curl-headers(proxy policy denied), curl-CORS(proxy policy denied), curl-sensitive-files(proxy policy denied), openssl-tls(proxy policy denied)


Generated by Claude Code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant