Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

security: close audit findings #19–#23 and harden Docker setup (#24)

Browse Source 
#19 MFA QR code: render locally via qrcode package, remove external qrserver.com request
#20 Webhook SSRF: add ssrf-guard.ts with DNS-verified IP blocklist; enforce on create/update/test/dispatch
#21 /api/perf: fail-closed when CRON_SECRET missing; remove query-string token auth
#22 CSP: remove unsafe-eval and unsafe-inline from script-src in production builds
#23 Active session registry: forward jti into session object; validate against ActiveSession on every tRPC request

#24 Docker: add missing packages/application to Dockerfile.dev; fix pnpm-lock.yaml glob;
    run db:migrate:deploy on container start so a fresh checkout boots without manual steps

Also: fix pre-existing TS error in e2e/allocations.spec.ts (args.length literal type overlap)

Co-Authored-By: claude-flow <ruv@ruv.net>
This commit is contained in:
Hartmut Nörenberg
2026-04-01 18:19:21 +02:00
parent fd75628e9d
commit 0e119cfe73
17 changed files with 675 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packages/api/src/router/webhook-procedure-support.ts
+8
View File
@@ -1,5 +1,6 @@
import { z } from "zod";
import { createAuditEntry } from "../lib/audit.js";
import { assertWebhookUrlAllowed } from "../lib/ssrf-guard.js";
import type { TRPCContext } from "../trpc.js";
import {
buildWebhookCreateData,
@@ -44,6 +45,8 @@ export async function createWebhook(
ctx: WebhookProcedureContext,
input: z.infer<typeof CreateWebhookInputSchema>,
) {
await assertWebhookUrlAllowed(input.url);
const webhook = await ctx.db.webhook.create({
data: buildWebhookCreateData(input),
});
@@ -66,6 +69,10 @@ export async function updateWebhook(
ctx: WebhookProcedureContext,
input: z.infer<typeof UpdateWebhookProcedureInputSchema>,
) {
if (input.data.url !== undefined) {
await assertWebhookUrlAllowed(input.data.url);
}
const existing = await loadWebhookOrThrow(ctx.db, input.id);
const updated = await ctx.db.webhook.update({
@@ -112,6 +119,7 @@ export async function testWebhook(
input: z.infer<typeof WebhookIdInputSchema>,
) {
const webhook = await loadWebhookOrThrow(ctx.db, input.id);
await assertWebhookUrlAllowed(webhook.url);
const result = await sendWebhookTestRequest(webhook);
void createAuditEntry({