security: close audit findings #19–#23 and harden Docker setup (#24)
#19 MFA QR code: render locally via qrcode package, remove external qrserver.com request #20 Webhook SSRF: add ssrf-guard.ts with DNS-verified IP blocklist; enforce on create/update/test/dispatch #21 /api/perf: fail-closed when CRON_SECRET missing; remove query-string token auth #22 CSP: remove unsafe-eval and unsafe-inline from script-src in production builds #23 Active session registry: forward jti into session object; validate against ActiveSession on every tRPC request #24 Docker: add missing packages/application to Dockerfile.dev; fix pnpm-lock.yaml glob; run db:migrate:deploy on container start so a fresh checkout boots without manual steps Also: fix pre-existing TS error in e2e/allocations.spec.ts (args.length literal type overlap) Co-Authored-By: claude-flow <ruv@ruv.net>
This commit is contained in:
@@ -9,6 +9,7 @@
|
||||
import { createHmac } from "node:crypto";
|
||||
import { logger } from "./logger.js";
|
||||
import { sendSlackNotification } from "./slack-notify.js";
|
||||
import { assertWebhookUrlAllowed } from "./ssrf-guard.js";
|
||||
|
||||
/** Available webhook event types. */
|
||||
export const WEBHOOK_EVENTS = [
|
||||
@@ -85,6 +86,8 @@ async function _sendToWebhook(
|
||||
payload: Record<string, unknown>,
|
||||
): Promise<void> {
|
||||
try {
|
||||
await assertWebhookUrlAllowed(wh.url);
|
||||
|
||||
// Slack-specific path: use the Slack notification helper
|
||||
if (wh.url.includes("hooks.slack.com")) {
|
||||
const message = formatSlackMessage(event, payload);
|
||||
|
||||
Reference in New Issue
Block a user