Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

security: fix 4 OWASP quick-wins from audit round 2

Browse Source 
A04-1 (High): docker-compose E2E_TEST_MODE now defaults to "false"
  via ${E2E_TEST_MODE:-false} — prevents accidental security bypass in
  non-test deployments. runtime-env.ts throws at startup if
  E2E_TEST_MODE=true in production.

A05-3 (Medium): all 4 cron routes now fail-closed when CRON_SECRET
  is unset. Extracted shared verifyCronSecret() helper to
  apps/web/src/lib/cron-auth.ts.

A02-1 (Low): verifyCronSecret uses crypto.timingSafeEqual for
  constant-time Bearer token comparison.

A10-1 (Medium): Slack webhook routing uses strict hostname check
  (parsedUrl.hostname === "hooks.slack.com") instead of .includes()
  to prevent bypass via subdomain confusion.

Tickets created for remaining findings: #28 (TOTP rate limit),
#29 (allocations role check), #30 (API keys in DB), #31 (pgAdmin
creds), #32 (MFA enforcement), #33 (auth anomaly alerting),
#34 (comment server-side sanitization).

Co-Authored-By: claude-flow <ruv@ruv.net>
This commit is contained in:
Hartmut Nörenberg
2026-04-01 22:57:51 +02:00
parent 745be7ee8b
commit f8550110eb
8 changed files with 63 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/web/src/lib/cron-auth.ts
+35
View File
@@ -0,0 +1,35 @@
import { timingSafeEqual } from "node:crypto";
import { NextResponse } from "next/server";
/**
* Verify the `Authorization: Bearer <secret>` header against CRON_SECRET.
*
* Security properties:
* - Fail-closed: returns 401 when CRON_SECRET is not configured (A05-3)
* - Timing-safe: uses crypto.timingSafeEqual to prevent timing attacks (A02-1)
*
* Usage:
* const deny = verifyCronSecret(request);
* if (deny) return deny;
*/
export function verifyCronSecret(request: Request): NextResponse | null {
const cronSecret = process.env["CRON_SECRET"];
// Fail-closed: if the secret is not configured, reject all requests.
if (!cronSecret) {
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
}
const auth = request.headers.get("authorization") ?? "";
const expected = `Bearer ${cronSecret}`;
const expectedBuf = Buffer.from(expected, "utf8");
const actualBuf = Buffer.from(auth, "utf8");
// Different lengths can be rejected without timing exposure (length itself is not secret).
if (actualBuf.length !== expectedBuf.length || !timingSafeEqual(expectedBuf, actualBuf)) {
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
}
return null;
}