Hartmut

Hartmut commented on issue Hartmut/CapaKraken#37

2026-04-17 09:29:02 +02:00

Security [CRITICAL]: Rate-limiter only keys by email — IP-based brute-force and targeted lockout possible

Resolved in main commit 3c5d1d3 (security: rate-limit IP-keyed, fail-closed on empty key). Rate-limit now keys on IP + email; empty-key paths fail closed.

Hartmut closed issue Hartmut/CapaKraken#36

2026-04-17 09:29:02 +02:00

Security [CRITICAL]: Unbounded password inputs enable Argon2 DoS

Hartmut commented on issue Hartmut/CapaKraken#36

2026-04-17 09:29:01 +02:00

Security [CRITICAL]: Unbounded password inputs enable Argon2 DoS

Resolved in main commit 534945f (security: bound password inputs, configure pino redact, patch deps).

packages/api/src/router/user-procedure-support.ts:13,18 caps every password input at…

Hartmut closed issue Hartmut/CapaKraken#47

2026-04-17 09:28:15 +02:00

Security [HIGH]: Read-only proxy bypass via tRPC callers + missing $transaction/$queryRaw blocks

Hartmut commented on issue Hartmut/CapaKraken#47

2026-04-17 09:28:15 +02:00

Security [HIGH]: Read-only proxy bypass via tRPC callers + missing $transaction/$queryRaw blocks

Resolved.

Part 1 — Proxy blocks all escape hatches (commit 1ff5c33, verified at packages/api/src/lib/read-only-prisma.ts:26-32):

$executeRaw
$executeRawUnsafe
$transaction -…

Hartmut closed issue Hartmut/CapaKraken#38

2026-04-17 09:25:56 +02:00

Security [HIGH]: Assistant chat message content unbounded — AI cost/memory DoS

Hartmut commented on issue Hartmut/CapaKraken#38

2026-04-17 09:25:56 +02:00

Security [HIGH]: Assistant chat message content unbounded — AI cost/memory DoS

Resolved. packages/api/src/router/assistant-procedure-support.ts:49-77 now enforces:

content: z.string().max(10_000) per message
pageContext: z.string().max(2_000)
`conversationId:…

Hartmut commented on issue Hartmut/CapaKraken#1

2026-04-16 22:05:47 +02:00

CDP Compliance Epic — alle Controls

Full-Codebase Security Audit — 2026-04-16

Systematischer Audit des gesamten Source-Codes (nicht nur der CDP-Standard-Controls) hat 60 Findings ergeben, konsolidiert zu **23 actionable…

Hartmut opened issue Hartmut/CapaKraken#58

2026-04-16 22:05:12 +02:00

Security [MEDIUM]: Dependency CVEs — upgrade dompurify, vite/esbuild, brace-expansion

Hartmut opened issue Hartmut/CapaKraken#57

2026-04-16 22:05:12 +02:00

Security [MEDIUM]: RBAC permissions cache 60 s — revocation propagates slowly across instances

Hartmut opened issue Hartmut/CapaKraken#56

2026-04-16 22:05:12 +02:00

Security [MEDIUM]: Password-policy client/server divergence + weak secret-entropy check

Hartmut opened issue Hartmut/CapaKraken#55

2026-04-16 22:05:12 +02:00

Security [MEDIUM]: Audit log fire-and-forget drops entries on DB load + no prompt-input audit

Hartmut opened issue Hartmut/CapaKraken#54

2026-04-16 22:05:12 +02:00

Security [MEDIUM]: Dispo workbook path unvalidated + image upload polyglot risk

Hartmut opened issue Hartmut/CapaKraken#48

2026-04-16 22:05:11 +02:00

Security [HIGH]: Resource.dynamicFields JSONB merge accepts attacker-controlled keys + unbounded metadata

Hartmut opened issue Hartmut/CapaKraken#49

2026-04-16 22:05:11 +02:00

Security [HIGH]: SSRF guard misses IPv6 private ranges + webhook dispatcher lacks DNS-rebind protection

Hartmut opened issue Hartmut/CapaKraken#50

2026-04-16 22:05:11 +02:00

Security [HIGH]: Docker + Compose — hardcoded dev password, env-var secrets, placeholder secrets baked in prod image

Hartmut opened issue Hartmut/CapaKraken#51

2026-04-16 22:05:11 +02:00

Security [MEDIUM]: Systematic Zod .max() audit — 202 unbounded z.string() sites

Hartmut opened issue Hartmut/CapaKraken#52

2026-04-16 22:05:11 +02:00

Security [MEDIUM]: Blueprint validator uses native RegExp — admin-set pattern enables ReDoS

Hartmut opened issue Hartmut/CapaKraken#53

2026-04-16 22:05:11 +02:00

Security [MEDIUM]: AI-tool error messages leak Prisma schema details to LLM

Hartmut opened issue Hartmut/CapaKraken#45

2026-04-16 22:05:10 +02:00

Security [HIGH]: CSP wildcards (*.openai.com, *.azure.com), unsafe-inline styles, SVG routes skip CSP