security: fix 17 vulnerabilities from comprehensive pentest

Fixes identified from full security audit covering auth, crypto, injection, infrastructure, and configuration security. Critical: - C1: Fail-closed on unrecognized NODE_ENV (prevent DEV_SECRET in staging) - C3: Validate API token expires_at (reject invalid dates that bypass expiry) High: - H1: Refresh JWT role from DB on each session (reflect demotions immediately) - H2: Docker socket proxy for l4-port-manager (restrict API surface) - H5: Block dangerous WAF custom directives (SecRuleEngine, SecAuditEngine) - H7: Require explicit NEXTAUTH_TRUST_HOST instead of always trusting Host - H8: Semantic validation of sync payload (block metadata SSRF, size limits) Medium: - M3: Rate limit password change current-password verification - M5: Parameterized SQL in log/waf parsers (replace template literals) - M6: Nonce-based CSP replacing unsafe-inline for script-src - M9: Strip Caddy placeholders from rewrite path_prefix - M10: Sanitize authentik outpostDomain (path traversal, placeholders) - M14: Deny access on missing JWT role instead of defaulting to "user" Low: - L1: Require Origin header on mutating session-authenticated requests - L4: Enforce password complexity on user password changes - L5: Time-limited legacy SHA-256 key fallback (grace period until 2026-06-01) - L6: Escape LIKE metacharacters in audit log search - L7: Runtime-validate WAF excluded_rule_ids as positive integers Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 12:14:44 +01:00
parent 7a12ecf2fe
commit debd0d98fc
18 changed files with 339 additions and 77 deletions
@@ -1,5 +1,6 @@
 import { auth } from "@/src/lib/auth";
 import { NextResponse } from "next/server";
+import crypto from "node:crypto";

 /**
 * Next.js Proxy for route protection.
@@ -9,6 +10,30 @@ import { NextResponse } from "next/server";
 * Note: Proxy always runs on Node.js runtime.
 */

+const isDev = process.env.NODE_ENV === "development";
+
+/**
+ * M6: Build a nonce-based Content-Security-Policy per request.
+ * Next.js reads the nonce from the CSP request header and applies it
+ * to all inline scripts it generates.
+ */
+function buildCsp(nonce: string): string {
+  const directives = [
+    "default-src 'self'",
+    isDev
+      ? `script-src 'self' 'nonce-${nonce}' 'unsafe-eval'`
+      : `script-src 'self' 'nonce-${nonce}'`,
+    // style-src still needs 'unsafe-inline' for React JSX inline style props
+    "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
+    "font-src 'self' https://fonts.gstatic.com",
+    "img-src 'self' data: blob:",
+    "worker-src blob:",
+    "connect-src 'self'",
+    "frame-ancestors 'none'",
+  ];
+  return directives.join("; ");
+}
+
 export default auth((req) => {
  const isAuthenticated = !!req.auth;
  const pathname = req.nextUrl.pathname;
@@ -30,7 +55,26 @@ export default auth((req) => {
    return NextResponse.redirect(loginUrl);
  }

-  return NextResponse.next();
+  // Generate per-request nonce for CSP
+  const nonce = crypto.randomBytes(16).toString("base64");
+  const csp = buildCsp(nonce);
+
+  // Set CSP as a request header so Next.js can read the nonce
+  const requestHeaders = new Headers(req.headers);
+  requestHeaders.set("Content-Security-Policy", csp);
+
+  const response = NextResponse.next({
+    request: { headers: requestHeaders },
+  });
+
+  // Also set CSP as a response header for browser enforcement
+  response.headers.set("Content-Security-Policy", csp);
+  response.headers.set("X-Content-Type-Options", "nosniff");
+  response.headers.set("X-Frame-Options", "DENY");
+  response.headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
+  response.headers.set("Permissions-Policy", "camera=(), microphone=(), geolocation=(), interest-cohort=()");
+
+  return response;
 });

 export const config = {