security: harden JWT secrets, path traversal, CORS, and auth#325
Merged
Conversation
Critical fixes: - C1: Fail startup if JWT_SECRET env var is not set (no more hardcoded fallback) - C2: generateRandomSalt returns error instead of hardcoded fallback string - C3: Replace localStorage token in ImportMethods with credentials: "include" High severity fixes: - H1: Validate and reject non-absolute paths in system browse handler - H2: Sanitize file paths in import handler with filepath.Clean + IsAbs check - H3: Use filepath.Base on uploaded filenames to prevent path traversal - H5: CORS now derives allowed origins from COOKIE_DOMAIN env var; explicit api.allowed_origins config overrides; falls back to wildcard - H8: CookieSecure defaults to true; opt out via COOKIE_SECURE=false Medium severity fixes: - M1: RespondInternalError suppresses err details in production (APP_ENV!=dev) - M2: Rate-limit /auth/login and /auth/register to 10 req/min per IP - M4: Minimum password length raised from 8 to 12 characters - M6: Replace fmt.Sprintf SQL string interpolation with parameterized placeholder Low severity fixes: - L1: Remove username value from WebDAV credential-update log line Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Full security hardening pass across Go backend and React frontend, addressing critical, high, and medium severity findings from a security audit.
Critical
JWT_SECRETenv var is now required — server fails to start with a clear error instead of using a hardcoded fallbackgenerateRandomSalt()returns an error ifcrypto/randfails — no more hardcoded fallback saltImportMethods.tsxnow usescredentials: "include"instead of reading a JWT fromlocalStorage(consistent with all other API calls)High
handleSystemBrowse—filepath.Clean+IsAbsvalidation prevents../../../etc/passwdtraversalFilePathfieldfilepath.Basebefore joining with upload dirCOOKIE_DOMAINenv var value (both http/https);api.allowed_originsconfig overrides; falls back to*CookieSecuredefaults totrue; opt out for local HTTP dev viaCOOKIE_SECURE=falseMedium
RespondInternalErrorsuppresseserr.Error()details in production (APP_ENV=developmentorDEBUG=truerestores them)/auth/loginand/auth/registerrate-limited to 10 requests/minute per IP using Fiber's built-in limiterResetHealthChecksBulkSQL refactored fromfmt.Sprintfstring interpolation to parameterized?placeholderLow