security: fix 4 OWASP quick-wins from audit round 2
A04-1 (High): docker-compose E2E_TEST_MODE now defaults to "false"
via ${E2E_TEST_MODE:-false} — prevents accidental security bypass in
non-test deployments. runtime-env.ts throws at startup if
E2E_TEST_MODE=true in production.
A05-3 (Medium): all 4 cron routes now fail-closed when CRON_SECRET
is unset. Extracted shared verifyCronSecret() helper to
apps/web/src/lib/cron-auth.ts.
A02-1 (Low): verifyCronSecret uses crypto.timingSafeEqual for
constant-time Bearer token comparison.
A10-1 (Medium): Slack webhook routing uses strict hostname check
(parsedUrl.hostname === "hooks.slack.com") instead of .includes()
to prevent bypass via subdomain confusion.
Tickets created for remaining findings: #28 (TOTP rate limit),
#29 (allocations role check), #30 (API keys in DB), #31 (pgAdmin
creds), #32 (MFA enforcement), #33 (auth anomaly alerting),
#34 (comment server-side sanitization).
Co-Authored-By: claude-flow <ruv@ruv.net>
This commit is contained in:
@@ -2,6 +2,7 @@ import { NextResponse } from "next/server";
|
||||
import { prisma } from "@capakraken/db";
|
||||
import { checkChargeabilityAlerts } from "@capakraken/api";
|
||||
import { logger } from "@capakraken/api/lib/logger";
|
||||
import { verifyCronSecret } from "~/lib/cron-auth.js";
|
||||
|
||||
export const dynamic = "force-dynamic";
|
||||
export const runtime = "nodejs";
|
||||
@@ -18,13 +19,8 @@ export const runtime = "nodejs";
|
||||
* When set, requests must include `Authorization: Bearer <secret>`.
|
||||
*/
|
||||
export async function GET(request: Request) {
|
||||
const cronSecret = process.env["CRON_SECRET"];
|
||||
if (cronSecret) {
|
||||
const auth = request.headers.get("authorization");
|
||||
if (auth !== `Bearer ${cronSecret}`) {
|
||||
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
|
||||
}
|
||||
}
|
||||
const deny = verifyCronSecret(request);
|
||||
if (deny) return deny;
|
||||
|
||||
try {
|
||||
// eslint-disable-next-line @typescript-eslint/no-explicit-any
|
||||
|
||||
@@ -2,6 +2,7 @@ import { NextResponse } from "next/server";
|
||||
import { prisma } from "@capakraken/db";
|
||||
import { checkPendingEstimateReminders } from "@capakraken/api";
|
||||
import { logger } from "@capakraken/api/lib/logger";
|
||||
import { verifyCronSecret } from "~/lib/cron-auth.js";
|
||||
|
||||
export const dynamic = "force-dynamic";
|
||||
export const runtime = "nodejs";
|
||||
@@ -20,13 +21,8 @@ export const runtime = "nodejs";
|
||||
* `Authorization: Bearer <secret>`.
|
||||
*/
|
||||
export async function GET(request: Request) {
|
||||
const cronSecret = process.env["CRON_SECRET"];
|
||||
if (cronSecret) {
|
||||
const auth = request.headers.get("authorization");
|
||||
if (auth !== `Bearer ${cronSecret}`) {
|
||||
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
|
||||
}
|
||||
}
|
||||
const deny = verifyCronSecret(request);
|
||||
if (deny) return deny;
|
||||
|
||||
try {
|
||||
// eslint-disable-next-line @typescript-eslint/no-explicit-any
|
||||
|
||||
@@ -3,6 +3,7 @@ import { prisma } from "@capakraken/db";
|
||||
import { createNotificationsForUsers } from "@capakraken/api";
|
||||
import { logger } from "@capakraken/api/lib/logger";
|
||||
import { createConnection } from "net";
|
||||
import { verifyCronSecret } from "~/lib/cron-auth.js";
|
||||
|
||||
export const dynamic = "force-dynamic";
|
||||
export const runtime = "nodejs";
|
||||
@@ -68,13 +69,8 @@ async function checkRedis(): Promise<{ status: "ok" | "error"; latencyMs: number
|
||||
* When set, requests must include `Authorization: Bearer <secret>`.
|
||||
*/
|
||||
export async function GET(request: Request) {
|
||||
const cronSecret = process.env["CRON_SECRET"];
|
||||
if (cronSecret) {
|
||||
const auth = request.headers.get("authorization");
|
||||
if (auth !== `Bearer ${cronSecret}`) {
|
||||
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
|
||||
}
|
||||
}
|
||||
const deny = verifyCronSecret(request);
|
||||
if (deny) return deny;
|
||||
|
||||
try {
|
||||
const [postgres, redis] = await Promise.all([
|
||||
|
||||
@@ -4,6 +4,7 @@ import { createNotificationsForUsers } from "@capakraken/api";
|
||||
import { logger } from "@capakraken/api/lib/logger";
|
||||
import { readFileSync } from "fs";
|
||||
import { join } from "path";
|
||||
import { verifyCronSecret } from "~/lib/cron-auth.js";
|
||||
|
||||
export const dynamic = "force-dynamic";
|
||||
export const runtime = "nodejs";
|
||||
@@ -104,13 +105,8 @@ function scanPackageJson(): Finding[] {
|
||||
* When set, requests must include `Authorization: Bearer <secret>`.
|
||||
*/
|
||||
export async function GET(request: Request) {
|
||||
const cronSecret = process.env["CRON_SECRET"];
|
||||
if (cronSecret) {
|
||||
const auth = request.headers.get("authorization");
|
||||
if (auth !== `Bearer ${cronSecret}`) {
|
||||
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
|
||||
}
|
||||
}
|
||||
const deny = verifyCronSecret(request);
|
||||
if (deny) return deny;
|
||||
|
||||
try {
|
||||
const findings = scanPackageJson();
|
||||
|
||||
@@ -0,0 +1,35 @@
|
||||
import { timingSafeEqual } from "node:crypto";
|
||||
import { NextResponse } from "next/server";
|
||||
|
||||
/**
|
||||
* Verify the `Authorization: Bearer <secret>` header against CRON_SECRET.
|
||||
*
|
||||
* Security properties:
|
||||
* - Fail-closed: returns 401 when CRON_SECRET is not configured (A05-3)
|
||||
* - Timing-safe: uses crypto.timingSafeEqual to prevent timing attacks (A02-1)
|
||||
*
|
||||
* Usage:
|
||||
* const deny = verifyCronSecret(request);
|
||||
* if (deny) return deny;
|
||||
*/
|
||||
export function verifyCronSecret(request: Request): NextResponse | null {
|
||||
const cronSecret = process.env["CRON_SECRET"];
|
||||
|
||||
// Fail-closed: if the secret is not configured, reject all requests.
|
||||
if (!cronSecret) {
|
||||
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
|
||||
}
|
||||
|
||||
const auth = request.headers.get("authorization") ?? "";
|
||||
const expected = `Bearer ${cronSecret}`;
|
||||
|
||||
const expectedBuf = Buffer.from(expected, "utf8");
|
||||
const actualBuf = Buffer.from(auth, "utf8");
|
||||
|
||||
// Different lengths can be rejected without timing exposure (length itself is not secret).
|
||||
if (actualBuf.length !== expectedBuf.length || !timingSafeEqual(expectedBuf, actualBuf)) {
|
||||
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
@@ -42,6 +42,10 @@ export function getRuntimeEnvViolations(env: RuntimeEnv = process.env): string[]
|
||||
violations.push("AUTH_SECRET or NEXTAUTH_SECRET must not use a known development placeholder in production.");
|
||||
}
|
||||
|
||||
if ((env.E2E_TEST_MODE ?? "").trim() === "true") {
|
||||
violations.push("E2E_TEST_MODE must not be 'true' in production — it disables all rate limiting and session controls.");
|
||||
}
|
||||
|
||||
if (!authUrl) {
|
||||
violations.push("AUTH_URL or NEXTAUTH_URL must be set in production.");
|
||||
} else {
|
||||
|
||||
Reference in New Issue
Block a user