Hartmut

0 Followers · 0 Following

• Joined on 2026-04-12

Repositories

2

Projects Packages Public Activity Starred Repositories

Hartmut commented on issue Hartmut/CapaKraken#46 2026-04-17 09:29:43 +02:00

Security [HIGH]: Pino logger has no redact paths — passwords/tokens logged cleartext

Resolved across two commits, covering both the stdout logger and the DB audit path.

Layer A — pino stdout redact (main commit 534945f, verified at packages/api/src/lib/logger.ts:8-40): Reda…

Hartmut closed issue Hartmut/CapaKraken#43 2026-04-17 09:29:25 +02:00

Security [HIGH]: MFA TOTP replay-race + missing backup codes

Hartmut commented on issue Hartmut/CapaKraken#43 2026-04-17 09:29:25 +02:00

Security [HIGH]: MFA TOTP replay-race + missing backup codes

Part 1 — TOTP replay race — resolved in commit 3222bec (security: atomic compare-and-swap for TOTP replay window).

• New helper packages/api/src/lib/totp-consume.ts::consumeTotpWindow()…

Hartmut closed issue Hartmut/CapaKraken#49 2026-04-17 09:29:06 +02:00

Security [HIGH]: SSRF guard misses IPv6 private ranges + webhook dispatcher lacks DNS-rebind protection

Hartmut commented on issue Hartmut/CapaKraken#49 2026-04-17 09:29:05 +02:00

Security [HIGH]: SSRF guard misses IPv6 private ranges + webhook dispatcher lacks DNS-rebind protection

Resolved in commit 4ff7bc9 (security: SSRF guard covers IPv6 + DNS-rebind defence via pinned IP).

SSRF-guard (packages/api/src/lib/ssrf-guard.ts) — blocks full IPv4 private space…

Hartmut closed issue Hartmut/CapaKraken#48 2026-04-17 09:29:05 +02:00

Security [HIGH]: Resource.dynamicFields JSONB merge accepts attacker-controlled keys + unbounded metadata

Hartmut commented on issue Hartmut/CapaKraken#48 2026-04-17 09:29:05 +02:00

Security [HIGH]: Resource.dynamicFields JSONB merge accepts attacker-controlled keys + unbounded metadata

Resolved in commit c0c5f76 (security: bound JSONB inputs + whitelist batchUpdateCustomFields keys). Resource.dynamicFields merge now goes through a whitelist of known keys; attacker-controlled…

Hartmut closed issue Hartmut/CapaKraken#45 2026-04-17 09:29:05 +02:00

Security [HIGH]: CSP wildcards (*.openai.com, *.azure.com), unsafe-inline styles, SVG routes skip CSP

Hartmut commented on issue Hartmut/CapaKraken#45 2026-04-17 09:29:04 +02:00

Security [HIGH]: CSP wildcards (*.openai.com, *.azure.com), unsafe-inline styles, SVG routes skip CSP

Resolved in commit d1075af (security: tighten CSP — drop provider wildcards, add object/frame/worker-src).

apps/web/src/middleware.ts::buildCsp() now returns:

• connect-src 'self' (was…

Hartmut closed issue Hartmut/CapaKraken#44 2026-04-17 09:29:04 +02:00

Security [HIGH]: API middleware default-allows /api/* — new routes inherit public access

Hartmut commented on issue Hartmut/CapaKraken#44 2026-04-17 09:29:04 +02:00

Security [HIGH]: API middleware default-allows /api/* — new routes inherit public access

Resolved in commit b32160d (security: default-deny /api middleware allowlist). The web app middleware now allowlists known public /api/* routes; new routes default to auth-required.

Hartmut closed issue Hartmut/CapaKraken#42 2026-04-17 09:29:04 +02:00

Security [HIGH]: E2E_TEST_MODE bypass must fail-fast in production

Hartmut commented on issue Hartmut/CapaKraken#42 2026-04-17 09:29:03 +02:00

Security [HIGH]: E2E_TEST_MODE bypass must fail-fast in production

Resolved in commit 93a7fba (security: fail-fast dev-bypass flag in production). The auth bootstrap throws at startup if E2E_TEST_MODE=1 is set while NODE_ENV=production.

Hartmut closed issue Hartmut/CapaKraken#41 2026-04-17 09:29:03 +02:00

Security [HIGH]: Session/Cookie hardening — Secure flag, concurrent-session enforcement, JTI exposure

Hartmut commented on issue Hartmut/CapaKraken#41 2026-04-17 09:29:03 +02:00

Security [HIGH]: Session/Cookie hardening — Secure flag, concurrent-session enforcement, JTI exposure

Resolved in commit d45cc00 (security: cookie + session hardening). Secure flag enforced in prod, concurrent-session cap implemented, JTI no longer surfaced in responses.

Hartmut closed issue Hartmut/CapaKraken#40 2026-04-17 09:29:03 +02:00

Security [HIGH]: Login timing attack enables user-email enumeration

Hartmut commented on issue Hartmut/CapaKraken#40 2026-04-17 09:29:03 +02:00

Security [HIGH]: Login timing attack enables user-email enumeration

Resolved in commit 0303063 (security: constant-time authorize + uniform audit summaries). Authorize path now runs Argon2 verify against a dummy hash when the user is missing, and audit summaries…

Hartmut closed issue Hartmut/CapaKraken#39 2026-04-17 09:29:02 +02:00

Security [HIGH]: Prompt-injection guard trivially bypassable (regex-only, no Unicode normalization)

Hartmut commented on issue Hartmut/CapaKraken#39 2026-04-17 09:29:02 +02:00

Security [HIGH]: Prompt-injection guard trivially bypassable (regex-only, no Unicode normalization)

Resolved in commit c2d05b4 (security: Unicode-aware prompt-injection guard). NFKC normalisation + homoglyph folding applied before regex match in packages/api/src/lib/prompt-guard.ts.

Hartmut closed issue Hartmut/CapaKraken#37 2026-04-17 09:29:02 +02:00

Security [CRITICAL]: Rate-limiter only keys by email — IP-based brute-force and targeted lockout possible