Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

security: fix 4 OWASP quick-wins from audit round 2

Browse Source 
A04-1 (High): docker-compose E2E_TEST_MODE now defaults to "false"
  via ${E2E_TEST_MODE:-false} — prevents accidental security bypass in
  non-test deployments. runtime-env.ts throws at startup if
  E2E_TEST_MODE=true in production.

A05-3 (Medium): all 4 cron routes now fail-closed when CRON_SECRET
  is unset. Extracted shared verifyCronSecret() helper to
  apps/web/src/lib/cron-auth.ts.

A02-1 (Low): verifyCronSecret uses crypto.timingSafeEqual for
  constant-time Bearer token comparison.

A10-1 (Medium): Slack webhook routing uses strict hostname check
  (parsedUrl.hostname === "hooks.slack.com") instead of .includes()
  to prevent bypass via subdomain confusion.

Tickets created for remaining findings: #28 (TOTP rate limit),
#29 (allocations role check), #30 (API keys in DB), #31 (pgAdmin
creds), #32 (MFA enforcement), #33 (auth anomaly alerting),
#34 (comment server-side sanitization).

Co-Authored-By: claude-flow <ruv@ruv.net>
This commit is contained in:
Hartmut Nörenberg
2026-04-01 22:57:51 +02:00
parent 745be7ee8b
commit f8550110eb
8 changed files with 63 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packages/api/src/lib/webhook-dispatcher.ts
+4 -2
View File
@@ -88,8 +88,10 @@ async function _sendToWebhook(
try {
await assertWebhookUrlAllowed(wh.url);
// Slack-specific path: use the Slack notification helper
if (wh.url.includes("hooks.slack.com")) {
// Slack-specific path: use the Slack notification helper.
// Use strict hostname match to prevent bypass via "hooks.slack.com.attacker.example.com".
const parsedUrl = new URL(wh.url);
if (parsedUrl.hostname === "hooks.slack.com") {
const message = formatSlackMessage(event, payload);
await sendSlackNotification(wh.url, message);
return;