akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

security: fix 17 vulnerabilities from comprehensive pentest

Browse Source 
Fixes identified from full security audit covering auth, crypto,
injection, infrastructure, and configuration security.

Critical:
- C1: Fail-closed on unrecognized NODE_ENV (prevent DEV_SECRET in staging)
- C3: Validate API token expires_at (reject invalid dates that bypass expiry)

High:
- H1: Refresh JWT role from DB on each session (reflect demotions immediately)
- H2: Docker socket proxy for l4-port-manager (restrict API surface)
- H5: Block dangerous WAF custom directives (SecRuleEngine, SecAuditEngine)
- H7: Require explicit NEXTAUTH_TRUST_HOST instead of always trusting Host
- H8: Semantic validation of sync payload (block metadata SSRF, size limits)

Medium:
- M3: Rate limit password change current-password verification
- M5: Parameterized SQL in log/waf parsers (replace template literals)
- M6: Nonce-based CSP replacing unsafe-inline for script-src
- M9: Strip Caddy placeholders from rewrite path_prefix
- M10: Sanitize authentik outpostDomain (path traversal, placeholders)
- M14: Deny access on missing JWT role instead of defaulting to "user"

Low:
- L1: Require Origin header on mutating session-authenticated requests
- L4: Enforce password complexity on user password changes
- L5: Time-limited legacy SHA-256 key fallback (grace period until 2026-06-01)
- L6: Escape LIKE metacharacters in audit log search
- L7: Runtime-validate WAF excluded_rule_ids as positive integers

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
fuomag9
2026-03-26 12:14:44 +01:00
parent 7a12ecf2fe
commit debd0d98fc
18 changed files with 339 additions and 77 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
app/api/user/change-password/route.ts
View File

@@ -2,6 +2,7 @@ import { NextRequest, NextResponse } from "next/server";
import { auth, checkSameOrigin } from "@/src/lib/auth";
import { getUserById, updateUserPassword } from "@/src/lib/models/user";
import { createAuditEvent } from "@/src/lib/models/audit";
import { isRateLimited, registerFailedAttempt, resetAttempts } from "@/src/lib/rate-limit";
import bcrypt from "bcryptjs";
export async function POST(request: NextRequest) {
@@ -14,15 +15,42 @@ export async function POST(request: NextRequest) {
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
}
// M3: Rate limit password change attempts to prevent brute-forcing current password
const rateLimitKey = `password-change:${session.user.id}`;
const rateCheck = isRateLimited(rateLimitKey);
if (rateCheck.blocked) {
return NextResponse.json(
{ error: "Too many attempts. Please try again later." },
{ status: 429, headers: rateCheck.retryAfterMs ? { "Retry-After": String(Math.ceil(rateCheck.retryAfterMs / 1000)) } : undefined }
);
}
const body = await request.json();
const { currentPassword, newPassword } = body;
// L4: Enforce password complexity matching production admin password requirements
if (!newPassword || newPassword.length < 12) {
return NextResponse.json(
{ error: "New password must be at least 12 characters long" },
{ status: 400 }
);
}
const complexityErrors: string[] = [];
if (!/[A-Z]/.test(newPassword) || !/[a-z]/.test(newPassword)) {
complexityErrors.push("must include both uppercase and lowercase letters");
}
if (!/[0-9]/.test(newPassword)) {
complexityErrors.push("must include at least one number");
}
if (!/[^A-Za-z0-9]/.test(newPassword)) {
complexityErrors.push("must include at least one special character");
}
if (complexityErrors.length > 0) {
return NextResponse.json(
{ error: `Password ${complexityErrors.join(", ")}` },
{ status: 400 }
);
}
const userId = Number(session.user.id);
const user = await getUserById(userId);
@@ -42,6 +70,7 @@ export async function POST(request: NextRequest) {
const isValid = bcrypt.compareSync(currentPassword, user.password_hash);
if (!isValid) {
registerFailedAttempt(rateLimitKey);
return NextResponse.json(
{ error: "Current password is incorrect" },
{ status: 401 }
@@ -49,6 +78,9 @@ export async function POST(request: NextRequest) {
}
}
// Password verified successfully — reset rate limit counter
resetAttempts(rateLimitKey);
// Hash new password
const newPasswordHash = bcrypt.hashSync(newPassword, 12);