Security audit β 2026-06-30#79
Open
versila22 wants to merge 1 commit into
Open
Conversation
β¦-06-09) Critical=1 High=4 Medium=3 Low=2 Info=2 New findings: vitest RCE (GHSA-5xrq-8626-4rwp), user enumeration, X-Forwarded-For rate-limit bypass, unbounded base64 photo upload, react-router open redirect (GHSA-2j2x-hqr9-3h42). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_018PAhc6W5WwV24qacqWB6ao
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security audit β 2026-06-30
Probed URL: https://limaimpro.duckdns.org/
Stack: React 18 / Vite 7 / shadcn-ui / FastAPI (Python) / PostgreSQL / npm / PWA=yes
Counts: Critical=1 High=4 Medium=3 Low=2 Info=2
Findings
package.jsonvitest@3.2.4 (GHSA-5xrq-8626-4rwp)backend/app/routers/auth.py:64-70backend/app/limiting.py:14-16backend/app/routers/members.py(/photo-dataendpoint)package.jsonreact-router@6.30.3 (GHSA-2j2x-hqr9-3h42)style-src 'unsafe-inline'weakens XSS protectionnginx.conf:14backend/requirements.txtpackage.jsonserialize-javascript@6.0.2 (devDep)preloaddirectivenginx.conf:15backend/app/routers/auth.pyTop 3 fixes
_AUTH_MESSAGESdict inbackend/app/routers/auth.py.forwarded_for.split(",")[0].strip()with the rightmost untrusted IP or use a trusted-proxy list; alternatively useslowapi'sget_remote_addresskey function which readsrequest.client.host.if len(payload.data) > 500_000: raise HTTPException(413)) inupload_member_photo_databefore the DB write.Evidence (Critical/High only)
[CRITICAL] Vitest UI β arbitrary file read/execute
package.jsondevDependencyvitest@3.2.4(GHSA-5xrq-8626-4rwp, fixed in 3.2.6)"vitest": "^3.2.4"β installed version is 3.2.4vitest --uiis inadvertently exposed (e.g., dev server port open) any file on the host can be read or executed by a remote attacker.npm update vitestto >=3.2.6; confirm vitest UI port is never reachable from the internet in CI/CD.[HIGH] User enumeration via distinct login error messages
backend/app/routers/auth.pylines 62-72"email_not_found": "Aucun compte trouvΓ© pour cet email.", "wrong_password": "Mot de passe incorrect.", ..."Identifiants invalides.".[HIGH] Rate-limit bypass via X-Forwarded-For spoofing
backend/app/limiting.pylines 14-16forwarded_for = request.headers.get("X-Forwarded-For"); return forwarded_for.split(",")[0].strip()X-Forwarded-Forheader to rotate apparent source IP, bypassing the 5/min login rate limit and enabling unlimited brute-force.X-Forwarded-For, or switch key function toget_remote_addressand configure Railway to strip/inject the header reliably.[HIGH] Unbounded base64 photo stored in DB
backend/app/routers/members.pyβupload_member_photo_dataendpoint (POST /members/{id}/photo-data)member.photo_url = payload.datawith no size check afterstartswith("data:image/")photo_urlcolumn, causing DB bloat, OOM on the API process, and potential DoS.payload.databefore persisting; consider moving all photos to R2 exclusively.[HIGH] react-router open redirect
package.jsonβreact-router-dom@6.30.3(GHSA-2j2x-hqr9-3h42, fixed in 6.30.4)react-router-dom: ^6.30.1β installed 6.30.3; paths starting with//are reinterpreted as protocol-relative URLs.https://app/#//evil.com/path; react-router redirects user to//evil.com, enabling phishing.npm update react-router-domto >=6.30.4.Verified safe
.ts/.tsx/.js/.jsxsource β all keys useVITE_prefix from env vars.dangerouslySetInnerHTML,innerHTML =, oreval()found in React frontend source.postMessageusage that could allow cross-origin message injection./docs,/redoc) disabled in production.require_admindependency..env,.git/config,backup.zip) non-200.python-joseJWT decode uses explicitalgorithms=βalg:nonemitigated.X-Frame-Options: DENY,X-Content-Type-Options: nosniffset.allow_originsis an explicit list, not wildcard.Needs server-side verification
X-Forwarded-Forbefore reaching the API.APP_ENV=productionon Railway sovalidate_jwt_secretrejects default JWT secret at startup.REFRESH_JWT_SECRETis distinct fromJWT_SECRETin Railway env vars.Tools
ran=npm-audit, openssl-s_client (TLS), curl (HTTP headers/sensitive-path probe), grep/find (SAST), manual code review
skipped=pnpm-audit (not installed), yarn-audit (not installed), safety-check (network-blocked), nmap/nikto (not installed)
π€ Generated with Claude Code
https://claude.ai/code/session_018PAhc6W5WwV24qacqWB6ao
Generated by Claude Code