Fix/security codeql remediation 2026 04#24
Merged
EraPartner merged 6 commits intomainfrom Apr 29, 2026
Merged
Conversation
Resolves the actionable CodeQL alerts surfaced on main: - main.js CORS: never combine wildcard origin with credentials. Wildcard is now only honoured in development and skips Access-Control-Allow- Credentials, matching browser semantics. (closes #27) - main.js: attach attachmentRateLimiter (60/min) to /api/attachments and spaRateLimiter (600/min) to the SPA fallback so neither path is unbounded. (closes #1, #35, #36) - rateLimiter.js: add attachmentRateLimiter and spaRateLimiter built on the existing factory. - importRoutes.js: coerce req.query/body separator with String() before the length check so an array-shaped param cannot bypass the single-char rule (closes #28, #29). cleanup() now refuses to unlink paths outside the OS temp roots (closes #30). - dataImportService.js: read CSV uploads only from the OS temp roots with an encoding allowlist (closes #31, #32). - admin.js: keep dynamic VACUUM SQL (cannot be parameterised) but add CodeQL-tagged comments explaining the pg_stat_user_tables allowlist and that adminMutateLimiter is bound at the route level. Manual UI dismissal will follow for #33, #34. - sanitize.ts: stripHtml now loops until stable so nested-tag bypasses like <<a>script> cannot survive a single pass (closes #6). - validate-locales.js: replace ReDoS-prone multiline regex with an anchored single-line regex iterated per line (closes #24). Tests: 1379 backend + 153 frontend green; eslint reports 0 errors.
…iation - New docs/adr/042-codeql-dependabot-remediation-2026-04.md with full triage table - Append 2026-04-29 section to dependency-security-remediation-2026-04.md - Update rate-limiting.md with attachmentRateLimiter + spaRateLimiter - Update data-protection.md with CORS wildcard/credentials policy - Update api-endpoint-matrix.md with 60 req/min on attachment endpoints - Update input-validation.md with ADR-042 cross-reference - Update adr/index.md with ADR-042 in Recent Decisions
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
…ks + Vary: Origin - importRoutes.js cleanup(): add codeql[js/path-injection] inline suppression at the unlink call; TMP_ROOTS allowlist is the guard (CodeQL cannot trace through it) - dataImportService.js safeReadCsv(): same suppression pattern at readFile call - main.js CORS: add Vary: Origin header when reflecting a validated origin, and add codeql[js/cors-misconfiguration] suppression — wildcard/credentials split is the real fix; this silences residual scanner noise on the reflected-origin branch
…ate-limit - sanitize.ts: suppress js/incomplete-sanitization — iterative loop handles nested-tag bypass - main.js: suppress js/missing-rate-limiting on SPA sendFile — spaRateLimiter is applied as route middleware
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.