• Joined on 2026-04-12
Hartmut closed issue Hartmut/Nexus#39 2026-04-17 09:29:02 +02:00
Security [HIGH]: Prompt-injection guard trivially bypassable (regex-only, no Unicode normalization)
Hartmut commented on issue Hartmut/Nexus#37 2026-04-17 09:29:02 +02:00
Security [CRITICAL]: Rate-limiter only keys by email — IP-based brute-force and targeted lockout possible

Resolved in main commit 3c5d1d3 (security: rate-limit IP-keyed, fail-closed on empty key). Rate-limit now keys on IP + email; empty-key paths fail closed.

Hartmut commented on issue Hartmut/Nexus#39 2026-04-17 09:29:02 +02:00
Security [HIGH]: Prompt-injection guard trivially bypassable (regex-only, no Unicode normalization)

Resolved in commit c2d05b4 (security: Unicode-aware prompt-injection guard). NFKC normalisation + homoglyph folding applied before regex match in packages/api/src/lib/prompt-guard.ts.

Hartmut closed issue Hartmut/Nexus#36 2026-04-17 09:29:02 +02:00
Security [CRITICAL]: Unbounded password inputs enable Argon2 DoS
Hartmut closed issue Hartmut/Nexus#37 2026-04-17 09:29:02 +02:00
Security [CRITICAL]: Rate-limiter only keys by email — IP-based brute-force and targeted lockout possible
Hartmut commented on issue Hartmut/Nexus#36 2026-04-17 09:29:01 +02:00
Security [CRITICAL]: Unbounded password inputs enable Argon2 DoS

Resolved in main commit 534945f (security: bound password inputs, configure pino redact, patch deps).

packages/api/src/router/user-procedure-support.ts:13,18 caps every password input at…

Hartmut commented on issue Hartmut/Nexus#47 2026-04-17 09:28:15 +02:00
Security [HIGH]: Read-only proxy bypass via tRPC callers + missing $transaction/$queryRaw blocks

Resolved.

Part 1 — Proxy blocks all escape hatches (commit 1ff5c33, verified at packages/api/src/lib/read-only-prisma.ts:26-32):

  • $executeRaw
  • $executeRawUnsafe
  • $transaction -…
Hartmut closed issue Hartmut/Nexus#47 2026-04-17 09:28:15 +02:00
Security [HIGH]: Read-only proxy bypass via tRPC callers + missing $transaction/$queryRaw blocks
Hartmut closed issue Hartmut/Nexus#38 2026-04-17 09:25:56 +02:00
Security [HIGH]: Assistant chat message content unbounded — AI cost/memory DoS
Hartmut commented on issue Hartmut/Nexus#38 2026-04-17 09:25:56 +02:00
Security [HIGH]: Assistant chat message content unbounded — AI cost/memory DoS

Resolved. packages/api/src/router/assistant-procedure-support.ts:49-77 now enforces:

  • content: z.string().max(10_000) per message
  • pageContext: z.string().max(2_000)
  • `conversationId:…
Hartmut commented on issue Hartmut/Nexus#1 2026-04-16 22:05:47 +02:00
CDP Compliance Epic — alle Controls

Full-Codebase Security Audit — 2026-04-16

Systematischer Audit des gesamten Source-Codes (nicht nur der CDP-Standard-Controls) hat 60 Findings ergeben, konsolidiert zu **23 actionable…

Hartmut opened issue Hartmut/Nexus#54 2026-04-16 22:05:12 +02:00
Security [MEDIUM]: Dispo workbook path unvalidated + image upload polyglot risk
Hartmut opened issue Hartmut/Nexus#58 2026-04-16 22:05:12 +02:00
Security [MEDIUM]: Dependency CVEs — upgrade dompurify, vite/esbuild, brace-expansion
Hartmut opened issue Hartmut/Nexus#55 2026-04-16 22:05:12 +02:00
Security [MEDIUM]: Audit log fire-and-forget drops entries on DB load + no prompt-input audit
Hartmut opened issue Hartmut/Nexus#56 2026-04-16 22:05:12 +02:00
Security [MEDIUM]: Password-policy client/server divergence + weak secret-entropy check
Hartmut opened issue Hartmut/Nexus#57 2026-04-16 22:05:12 +02:00
Security [MEDIUM]: RBAC permissions cache 60 s — revocation propagates slowly across instances
Hartmut opened issue Hartmut/Nexus#51 2026-04-16 22:05:11 +02:00
Security [MEDIUM]: Systematic Zod .max() audit — 202 unbounded z.string() sites
Hartmut opened issue Hartmut/Nexus#48 2026-04-16 22:05:11 +02:00
Security [HIGH]: Resource.dynamicFields JSONB merge accepts attacker-controlled keys + unbounded metadata
Hartmut opened issue Hartmut/Nexus#53 2026-04-16 22:05:11 +02:00
Security [MEDIUM]: AI-tool error messages leak Prisma schema details to LLM
Hartmut opened issue Hartmut/Nexus#52 2026-04-16 22:05:11 +02:00
Security [MEDIUM]: Blueprint validator uses native RegExp — admin-set pattern enables ReDoS