fix(security): harden security across auth, API, frontend, and infra#10
Merged
fix(security): harden security across auth, API, frontend, and infra#10
Conversation
- Replace assert($user instanceof User) with AccessDeniedException in all state processors and providers - Add SsrfSafeUrl custom validator, apply to AddFeedInput - Fix api_platform.yaml formats scoped under when@prod by mistake - Update register Behat passwords to pass PasswordStrength check Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Return identical 201 response regardless of email existence - Add PasswordStrength(MEDIUM) constraint to RegisterInput - RegisterHandler no longer throws EmailAlreadyExistsException - RegisterController returns generic message instead of user ID Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add dompurify dependency to prevent XSS via article content - Wrap dangerouslySetInnerHTML with DOMPurify.sanitize() in ArticlePage Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Apply SsrfSafeUrl constraint to AddFeedInput URL field - Replace raw exception message in CrawlFeedMessageHandler with a generic error to avoid leaking internal details - Clear hardcoded secrets from .env and .env.dev - Add Content-Security-Policy header in Caddyfile Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add composer audit for PHP dependency vulnerabilities - Add npm audit --audit-level=high for JS dependencies - Add TruffleHog secret scanning job - Remove || true from typecheck and lint (enforce them) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
|---|---|---|---|---|---|
| 28737789 | Triggered | Company Email Password | f2313b3 | features/api/register.feature | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secret safely. Learn here the best practices.
- Revoke and rotate this secret.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
- Add typecheck script to package.json (tsc -b --noEmit) - Allow composer audit exit code 2 (abandoned packages, non-blocking) while still failing on exit code 1 (actual vulnerabilities) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Fix axios DoS via prototype pollution (GHSA-43fc-jf86-j433) - Fix rollup path traversal (GHSA-mw96-cpmx-2vgc) - Fix minimatch ReDoS (GHSA-3ppc-4f35-3m26, GHSA-7r86-cg39-jmmj) - Fix flatted unbounded recursion DoS (GHSA-25h7-pfq9-p65f) - Fix ajv ReDoS (GHSA-2g4f-4pwh-qvx6) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The previous approach used semicolons which don't prevent bash set -e from exiting early on failure. Use || compound command so exit code 2 (abandoned packages) is non-blocking. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
assert()withAccessDeniedExceptionin all state processors/providers; prevent user enumeration on register (generic 201 response); enforcePasswordStrength(MEDIUM)on registrationSsrfSafeUrlcustom validator, applied to feed URL inputContent-Security-Policyheader in Caddyfile; clear hardcoded secrets from.env/.env.dev; prevent raw exception messages leaking from feed crawl errorscomposer audit,npm audit, TruffleHog secret scanning; enforce typecheck and lint (remove|| true)api_platform.yamlformats accidentally scoped underwhen@prod; update test passwords to pass strength checkTest plan
make qualitypasses (lint, PHPStan, Rector)npm run build)🤖 Generated with Claude Code