Security audit β 2026-06-26#75
Open
versila22 wants to merge 1 commit into
Open
Conversation
β¦-06-05) Adds automated security audit report for 2026-06-26. Findings: Critical=1 (seed admin in prod), High=3 (JWT default secret, sessionStorage token, vitest CVSS 9.8), Medium=2 (SCA chain, committed .env.production + api.ts.orig), Low=2 (PWA cache, TLS cert expiry). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_013HkXjCZ39ZcFtSDY27x6uL
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pentest mini-report β lima-app β 2026-06-26
Probed URL: https://limaimpro.duckdns.org/
Stack: React 18 + Vite 7 / npm (bun.lock also present) / PWA=yes (vite-plugin-pwa, autoUpdate)
Counts: Critical=1 High=3 Medium=2 Low=2 Info=3
Findings
backend/app/main.py:53-135insecure_dev_secret_change_me) with no startup guard in devbackend/app/config.py:10sessionStorage(XSS-reachable) as Safari workaroundsrc/lib/api.ts:42-53package.json/ GHSA-5xrq-8626-4rwppackage.json.env.productionandsrc/lib/api.ts.origcommitted to git (production API URL + old token-in-localStorage code leak).env.production,src/lib/api.ts.orig**/*.{js,css,html}with no exclusion of auth routes; stale authenticated UI could be served offlinevite.config.ts:workbox.globPatternsnotAfter=Jul 26 03:04:00 2026 GMThttps://limaimpro.duckdns.org/dangerouslySetInnerHTMLin chart.tsx injects developer-controlled CSS custom properties (not user input) β low exploitabilitysrc/components/ui/chart.tsx:70react-markdownused withoutrehype-sanitize; safe as long as content comes from API, not user-supplied raw HTMLsrc/components/cabaret/PlanPreview.tsx:98Top 3 fixes
_ensure_seed_data()behindif settings.is_development:and rotateadmin@lima-impro.frpassword immediately on production DB.model_validatoralready blocks production startup whenAPP_ENV != development; confirmAPP_ENV=productionand a strongJWT_SECRET/REFRESH_JWT_SECRETare set in Railway env vars, then remove the weak default string from source.npm audit fix(overrides in package.json already handle serialize-javascript, fast-uri, and @babel/plugin-transform-modules-systemjs; bump vitest to >=3.x patched release).Evidence (Critical/High only)
[Critical] Hardcoded seed admin β
backend/app/main.py:53{"email": "admin@lima-impro.fr", "app_role": "admin", "password": "Admin1234!", ...}_ensure_seed_data()is called unconditionally on every startup. On a fresh production DB it creates a known admin credential. Impact: full admin takeover of production. Fix: wrap call inif settings.is_development: ....[High] Default JWT secret β
backend/app/config.py:10Guard only raises in
APP_ENV != development; if env var is missing or misconfigured, tokens can be forged. Impact: authentication bypass. Fix: verify RailwayJWT_SECRETenv var is set; add secret-length validator (>=32 chars).[High] sessionStorage Bearer token β
src/lib/api.ts:42-53Any XSS (including via a future vulnerable dependency) can exfiltrate the token. Impact: session hijack without cookie theft. Fix: consider short-lived tokens + PKCE-style refresh, or document accepted risk with monitoring.
[High] vitest GHSA-5xrq-8626-4rwp (CVSS 9.8)
Package:
vitest(devDependency). Vitest UI server allows arbitrary file read/exec. Impact: CI/CD pipeline compromise if Vitest UI is exposed. Fix:npm audit fixor pin vitest>=3.xpatched release.Verified safe
eval()calls found in source.postMessagehandlers without origin check (no postMessage usage found).VITE_SENTRY_DSNandVITE_API_URLare the onlyVITE_*vars β no sensitive secrets baked into bundle.script-src 'self'(nounsafe-eval/unsafe-inlinefor scripts).X-Frame-Options: DENY,X-Content-Type-Options: nosniff, HSTS, and Referrer-Policy headers present in nginx config./docs,/redoc) disabled in production viais_developmentguard.dangerouslySetInnerHTMLin chart.tsx uses only internal theme config (not user input).Needs server-side verification
admin@lima-impro.frseed account actually exists on production DB (password change needed if it does).JWT_SECRETis set to a strong value distinct from the source-code default.APP_ENV=productionis set correctly in Railway deployment.Tools
ran=npm-audit, grep-secret-scan, openssl-tls-dates, openssl-tls-protocols, source-file-analysis
skipped=curl-http-headers (403 proxy block), curl-cors-test (403 proxy block), curl-sensitive-file-probe (connection failed β all returned HTTP 000)
π€ Generated with Claude Code
https://claude.ai/code/session_013HkXjCZ39ZcFtSDY27x6uL
Generated by Claude Code