Dinawo/CDN-APP-INSIDER
1
0
Fork 1
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

security: vulnerability fixes & security hardening (2026-03-12) #1

Merged
Dinawo merged 1 commits from secops/security-update-2026-03-12 into release-candidate 2026-03-12 17:27:34 +01:00
Conversation 0 Commits 1 Files Changed 9 +35 -8
Dinawo commented 2026-03-12 17:18:48 +01:00
Owner
Copy Link

Rapport de sécurité — 2026-03-12

Vulnérabilités code source (SAST)

Sévérité Type Fichier:Ligne Description Statut
CRITICAL Auth Bypass RenameFile.js:110 Typo user.jso, → token auth en échec Corrigé
CRITICAL Auth Bypass NewFolder.js:108 Typo user.jso, → token auth en échec Corrigé
CRITICAL Auth Bypass DeleteFolfder.js:132 Typo user.jso, → token auth en échec Corrigé
HIGH XSS/CSP securityHeadersMiddleware.js:15 unsafe-eval dans CSP Corrigé
HIGH Stored XSS ProfilPicture.js:8 URL non validée Corrigé
HIGH CSS Injection BackgroundCustom.js:8 URL wallpaper non validée Corrigé
HIGH Path Traversal Upload.js:63-69 Pas de path boundary check Corrigé
HIGH CORS securityHeadersMiddleware.js:78 CORS wildcard sur CDN ⚠️ À vérifier
MEDIUM IDOR ProfilPicture.js Pas d auth middleware ⚠️ À vérifier
MEDIUM IDOR BackgroundCustom.js Pas d auth middleware ⚠️ À vérifier
MEDIUM Upload Upload.js:18-21 Pas de validation MIME ⚠️ À vérifier
MEDIUM Rate Limit GenerateToken.js Pas de rate limiting ⚠️ À vérifier
MEDIUM IDOR attachments.js:61 Download sans auth ⚠️ À vérifier
LOW Info Disclosure BuildMetaData.js:67 Stack trace exposée Corrigé
LOW Code Quality BuildMetaData.js:4 Import inutilisé Corrigé

Corrections appliquées

  • Auth Bypass (CRITICAL) : 3 typos user.jso, → user.json dans RenameFile, NewFolder, DeleteFolder
  • XSS/Injection (HIGH) : Validation URL HTTP/HTTPS sur ProfilPicture et BackgroundCustom
  • Path Traversal (HIGH) : Boundary check dans Upload.js
  • CSP (HIGH) : Suppression unsafe-eval
  • Info Disclosure (LOW) : Message erreur générique dans BuildMetaData
  • Code Quality (LOW) : Suppression import child_process inutilisé

Version bump: 1.2.1-beta → 1.2.2-beta

Points d attention (vérification manuelle requise)

  • CORS wildcard sur ressources CDN publiques
  • IDOR sur ProfilPicture et BackgroundCustom (pas d authMiddleware)
  • Pas de validation MIME sur upload
  • Pas de rate limiting sur GenerateToken
  • Attachments accessibles sans auth
  • Vérifier que suppression unsafe-eval ne casse pas TailwindCSS CDN
## Rapport de sécurité — 2026-03-12 ### Vulnérabilités code source (SAST) | Sévérité | Type | Fichier:Ligne | Description | Statut | |----------|------|---------------|-------------|--------| | CRITICAL | Auth Bypass | RenameFile.js:110 | Typo user.jso, → token auth en échec | ✅ Corrigé | | CRITICAL | Auth Bypass | NewFolder.js:108 | Typo user.jso, → token auth en échec | ✅ Corrigé | | CRITICAL | Auth Bypass | DeleteFolfder.js:132 | Typo user.jso, → token auth en échec | ✅ Corrigé | | HIGH | XSS/CSP | securityHeadersMiddleware.js:15 | unsafe-eval dans CSP | ✅ Corrigé | | HIGH | Stored XSS | ProfilPicture.js:8 | URL non validée | ✅ Corrigé | | HIGH | CSS Injection | BackgroundCustom.js:8 | URL wallpaper non validée | ✅ Corrigé | | HIGH | Path Traversal | Upload.js:63-69 | Pas de path boundary check | ✅ Corrigé | | HIGH | CORS | securityHeadersMiddleware.js:78 | CORS wildcard sur CDN | ⚠️ À vérifier | | MEDIUM | IDOR | ProfilPicture.js | Pas d auth middleware | ⚠️ À vérifier | | MEDIUM | IDOR | BackgroundCustom.js | Pas d auth middleware | ⚠️ À vérifier | | MEDIUM | Upload | Upload.js:18-21 | Pas de validation MIME | ⚠️ À vérifier | | MEDIUM | Rate Limit | GenerateToken.js | Pas de rate limiting | ⚠️ À vérifier | | MEDIUM | IDOR | attachments.js:61 | Download sans auth | ⚠️ À vérifier | | LOW | Info Disclosure | BuildMetaData.js:67 | Stack trace exposée | ✅ Corrigé | | LOW | Code Quality | BuildMetaData.js:4 | Import inutilisé | ✅ Corrigé | ### Corrections appliquées - **Auth Bypass (CRITICAL)** : 3 typos user.jso, → user.json dans RenameFile, NewFolder, DeleteFolder - **XSS/Injection (HIGH)** : Validation URL HTTP/HTTPS sur ProfilPicture et BackgroundCustom - **Path Traversal (HIGH)** : Boundary check dans Upload.js - **CSP (HIGH)** : Suppression unsafe-eval - **Info Disclosure (LOW)** : Message erreur générique dans BuildMetaData - **Code Quality (LOW)** : Suppression import child_process inutilisé ### Version bump: 1.2.1-beta → 1.2.2-beta ### Points d attention (vérification manuelle requise) - CORS wildcard sur ressources CDN publiques - IDOR sur ProfilPicture et BackgroundCustom (pas d authMiddleware) - Pas de validation MIME sur upload - Pas de rate limiting sur GenerateToken - Attachments accessibles sans auth - Vérifier que suppression unsafe-eval ne casse pas TailwindCSS CDN
Dinawo added 1 commit 2026-03-12 17:18:48 +01:00
security: fix vulnerabilities and update security hardening (2026-03-12) 76dc23c861 
Code security fixes:
- Fixed 3 critical auth bypass bugs (user.jso, typo → user.json) in RenameFile, NewFolder, DeleteFolder API routes
- Added URL validation (HTTP/HTTPS only) on ProfilPicture and BackgroundCustom endpoints to prevent stored XSS/CSS injection
- Added path traversal protection in Upload.js (resolved path boundary check)
- Removed unsafe-eval from CSP script-src directive
- Removed information disclosure in BuildMetaData error responses
- Removed unused child_process import in BuildMetaData.js

Version bump: 1.2.1-beta → 1.2.2-beta
Dinawo merged commit 1fbfc28780 into release-candidate 2026-03-12 17:27:34 +01:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
Dinawo
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Dinawo/CDN-APP-INSIDER#1
Delete Branch "secops/security-update-2026-03-12"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?