Skip to content

v1.2.2 - Security Fixes

Latest

Choose a tag to compare

@chicohaager chicohaager released this 07 Dec 16:20

Security Fixes

Critical

  • IDOR Vulnerabilities - Fixed in diary and budget routes
    • Added shared access_control.py utility
    • Now checks trip owner OR accepted participant
  • Path Traversal - Fixed in photo deletion
    • Validates filename and resolves path within upload directory
  • CSRF Middleware Bug - Fixed undefined variable

High Priority

  • Password Reset Token Reuse - Tokens now invalidated after use
    • New password_changed_at field tracks when password was changed
    • Tokens issued before password change are rejected

Rate Limiting

  • Photo upload: 60/min → 15/min (prevents storage DoS)
  • Audio transcription: New 10/hour limit (prevents API cost abuse)

Files Changed

  • backend/middleware/security.py
  • backend/models/user.py
  • backend/routes/budget.py
  • backend/routes/diary.py
  • backend/routes/password_reset.py
  • backend/utils/access_control.py (new)
  • backend/utils/rate_limits.py