security: fix 4 OWASP quick-wins from audit round 2

A04-1 (High): docker-compose E2E_TEST_MODE now defaults to "false" via ${E2E_TEST_MODE:-false} — prevents accidental security bypass in non-test deployments. runtime-env.ts throws at startup if E2E_TEST_MODE=true in production. A05-3 (Medium): all 4 cron routes now fail-closed when CRON_SECRET is unset. Extracted shared verifyCronSecret() helper to apps/web/src/lib/cron-auth.ts. A02-1 (Low): verifyCronSecret uses crypto.timingSafeEqual for constant-time Bearer token comparison. A10-1 (Medium): Slack webhook routing uses strict hostname check (parsedUrl.hostname === "hooks.slack.com") instead of .includes() to prevent bypass via subdomain confusion. Tickets created for remaining findings: #28 (TOTP rate limit), #29 (allocations role check), #30 (API keys in DB), #31 (pgAdmin creds), #32 (MFA enforcement), #33 (auth anomaly alerting), #34 (comment server-side sanitization). Co-Authored-By: claude-flow <ruv@ruv.net>
2026-04-01 22:57:51 +02:00
parent 745be7ee8b
commit f8550110eb
8 changed files with 63 additions and 33 deletions
@@ -2,6 +2,7 @@ import { NextResponse } from "next/server";
 import { prisma } from "@capakraken/db";
 import { checkChargeabilityAlerts } from "@capakraken/api";
 import { logger } from "@capakraken/api/lib/logger";
 import { verifyCronSecret } from "~/lib/cron-auth.js";
 export const dynamic = "force-dynamic";
 export const runtime = "nodejs";
@@ -18,13 +19,8 @@ export const runtime = "nodejs";
 * When set, requests must include `Authorization: Bearer <secret>`.
 */
 export async function GET(request: Request) {
-  const cronSecret = process.env["CRON_SECRET"];
+  const deny = verifyCronSecret(request);
-  if (cronSecret) {
+  if (deny) return deny;
    const auth = request.headers.get("authorization");
    if (auth !== `Bearer ${cronSecret}`) {
      return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
    }
  }
  try {
    // eslint-disable-next-line @typescript-eslint/no-explicit-any
@@ -2,6 +2,7 @@ import { NextResponse } from "next/server";
 import { prisma } from "@capakraken/db";
 import { checkPendingEstimateReminders } from "@capakraken/api";
 import { logger } from "@capakraken/api/lib/logger";
 import { verifyCronSecret } from "~/lib/cron-auth.js";
 export const dynamic = "force-dynamic";
 export const runtime = "nodejs";
@@ -20,13 +21,8 @@ export const runtime = "nodejs";
 * `Authorization: Bearer <secret>`.
 */
 export async function GET(request: Request) {
-  const cronSecret = process.env["CRON_SECRET"];
+  const deny = verifyCronSecret(request);
-  if (cronSecret) {
+  if (deny) return deny;
    const auth = request.headers.get("authorization");
    if (auth !== `Bearer ${cronSecret}`) {
      return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
    }
  }
  try {
    // eslint-disable-next-line @typescript-eslint/no-explicit-any
@@ -3,6 +3,7 @@ import { prisma } from "@capakraken/db";
 import { createNotificationsForUsers } from "@capakraken/api";
 import { logger } from "@capakraken/api/lib/logger";
 import { createConnection } from "net";
 import { verifyCronSecret } from "~/lib/cron-auth.js";
 export const dynamic = "force-dynamic";
 export const runtime = "nodejs";
@@ -68,13 +69,8 @@ async function checkRedis(): Promise<{ status: "ok" | "error"; latencyMs: number
 * When set, requests must include `Authorization: Bearer <secret>`.
 */
 export async function GET(request: Request) {
-  const cronSecret = process.env["CRON_SECRET"];
+  const deny = verifyCronSecret(request);
-  if (cronSecret) {
+  if (deny) return deny;
    const auth = request.headers.get("authorization");
    if (auth !== `Bearer ${cronSecret}`) {
      return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
    }
  }
  try {
    const [postgres, redis] = await Promise.all([
@@ -4,6 +4,7 @@ import { createNotificationsForUsers } from "@capakraken/api";
 import { logger } from "@capakraken/api/lib/logger";
 import { readFileSync } from "fs";
 import { join } from "path";
 import { verifyCronSecret } from "~/lib/cron-auth.js";
 export const dynamic = "force-dynamic";
 export const runtime = "nodejs";
@@ -104,13 +105,8 @@ function scanPackageJson(): Finding[] {
 * When set, requests must include `Authorization: Bearer <secret>`.
 */
 export async function GET(request: Request) {
-  const cronSecret = process.env["CRON_SECRET"];
+  const deny = verifyCronSecret(request);
-  if (cronSecret) {
+  if (deny) return deny;
    const auth = request.headers.get("authorization");
    if (auth !== `Bearer ${cronSecret}`) {
      return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
    }
  }
  try {
    const findings = scanPackageJson();
@@ -0,0 +1,35 @@
 import { timingSafeEqual } from "node:crypto";
 import { NextResponse } from "next/server";
 /**
 * Verify the `Authorization: Bearer <secret>` header against CRON_SECRET.
 *
 * Security properties:
 *  - Fail-closed: returns 401 when CRON_SECRET is not configured (A05-3)
 *  - Timing-safe: uses crypto.timingSafeEqual to prevent timing attacks (A02-1)
 *
 * Usage:
 *   const deny = verifyCronSecret(request);
 *   if (deny) return deny;
 */
 export function verifyCronSecret(request: Request): NextResponse | null {
  const cronSecret = process.env["CRON_SECRET"];
  // Fail-closed: if the secret is not configured, reject all requests.
  if (!cronSecret) {
    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
  }
  const auth = request.headers.get("authorization") ?? "";
  const expected = `Bearer ${cronSecret}`;
  const expectedBuf = Buffer.from(expected, "utf8");
  const actualBuf = Buffer.from(auth, "utf8");
  // Different lengths can be rejected without timing exposure (length itself is not secret).
  if (actualBuf.length !== expectedBuf.length || !timingSafeEqual(expectedBuf, actualBuf)) {
    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
  }
  return null;
 }
@@ -42,6 +42,10 @@ export function getRuntimeEnvViolations(env: RuntimeEnv = process.env): string[]
    violations.push("AUTH_SECRET or NEXTAUTH_SECRET must not use a known development placeholder in production.");
  }
  if ((env.E2E_TEST_MODE ?? "").trim() === "true") {
    violations.push("E2E_TEST_MODE must not be 'true' in production — it disables all rate limiting and session controls.");
  }
  if (!authUrl) {
    violations.push("AUTH_URL or NEXTAUTH_URL must be set in production.");
  } else {
@@ -59,9 +59,14 @@ services:
      REDIS_URL: redis://redis:6379
      NEXTAUTH_URL: ${NEXTAUTH_URL:-http://localhost:3100}
      NEXTAUTH_SECRET: ${NEXTAUTH_SECRET:?set NEXTAUTH_SECRET}
-      # Bypass auth + API rate limiters so E2E test runs don't exhaust
+      # Bypass auth + API rate limiters for E2E test runs only.
-      # per-user quotas and don't pollute active_sessions for real users.
+      # MUST remain "false" in any production or staging deployment.
-      E2E_TEST_MODE: "true"
+      # Set E2E_TEST_MODE=true in the host environment before running E2E tests.
      E2E_TEST_MODE: "${E2E_TEST_MODE:-false}"
      # AI provider secrets — forwarded from host .env, not hardcoded
      AZURE_OPENAI_API_KEY: ${AZURE_OPENAI_API_KEY:-}
      OPENAI_API_KEY: ${OPENAI_API_KEY:-}
      GEMINI_API_KEY: ${GEMINI_API_KEY:-}
    depends_on:
      postgres:
        condition: service_healthy
@@ -88,8 +88,10 @@ async function _sendToWebhook(
  try {
    await assertWebhookUrlAllowed(wh.url);
-    // Slack-specific path: use the Slack notification helper
+    // Slack-specific path: use the Slack notification helper.
-    if (wh.url.includes("hooks.slack.com")) {
+    // Use strict hostname match to prevent bypass via "hooks.slack.com.attacker.example.com".
    const parsedUrl = new URL(wh.url);
    if (parsedUrl.hostname === "hooks.slack.com") {
      const message = formatSlackMessage(event, payload);
      await sendSlackNotification(wh.url, message);
      return;