Security audit: fix IDOR, add rate limiting, HMAC auth, token hashing, XSS sanitization
All checks were successful
Build and Deploy / build-and-deploy (push) Successful in 3m22s
All checks were successful
Build and Deploy / build-and-deploy (push) Successful in 3m22s
Critical: Add ownership checks to all order routes (IDOR fix). High: Redis rate limiting on auth endpoints, HMAC-signed internal service calls replacing header-presence-only checks, nh3 HTML sanitization on ghost_sync and product import, internal auth on market API endpoints, SHA-256 hashed OAuth grant/code tokens. Medium: SECRET_KEY production guard, AP signature enforcement, is_admin param removal, cart_sid validation, SSRF protection on remote actor fetch. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -19,6 +19,9 @@ def register() -> Blueprint:
|
||||
async def _require_data_header():
|
||||
if not request.headers.get(DATA_HEADER):
|
||||
return jsonify({"error": "forbidden"}), 403
|
||||
from shared.infrastructure.internal_auth import validate_internal_request
|
||||
if not validate_internal_request():
|
||||
return jsonify({"error": "forbidden"}), 403
|
||||
|
||||
_handlers: dict[str, object] = {}
|
||||
|
||||
@@ -131,8 +134,9 @@ def register() -> Blueprint:
|
||||
period_start = datetime.fromisoformat(request.args.get("period_start", ""))
|
||||
period_end = datetime.fromisoformat(request.args.get("period_end", ""))
|
||||
user_id = request.args.get("user_id", type=int)
|
||||
is_admin = request.args.get("is_admin", "false").lower() == "true"
|
||||
session_id = request.args.get("session_id")
|
||||
# is_admin determined server-side, never from client params
|
||||
is_admin = False
|
||||
entries = await services.calendar.visible_entries_for_period(
|
||||
g.s, calendar_id, period_start, period_end,
|
||||
user_id=user_id, is_admin=is_admin, session_id=session_id,
|
||||
|
||||
Reference in New Issue
Block a user