Security release. Hardens the optional AI review endpoint against abuse of the operator's LLM key. Fixes #16 (external security review, PR #17 by @julian-maurel). No functional change to auditing.
Security
- Authorization - the AI review is bound to a page the caller can read (
jcr:read); unreadable or missing paths return 403. Closes the "any authenticated user or Personal API Token drives unlimited LLM calls billed to the operator's key" abuse. - Rate limiting - per-user sliding window of 30 reviews / 10 minutes (429 beyond).
- Unauthenticated disclosure - the status GET now requires a non-guest user; provider/model are no longer readable anonymously.
- CSRF - POST requires
Content-Type: application/json(415 otherwise) and rejects cross-origin browser requests (Origin/Referer host check). - Error disclosure - provider/exception detail is logged server-side only; the client gets a generic message.
- Link checker - only same-origin links on a read-only content-serving allowlist (
/cms/render,/cms/file,/files) are verified with the editor session; all other same-origin links are counted but never fetched.
All findings verified live on Jahia 8.2.3.0 (unauth GET → 403, unreadable-path POST → 403, text/plain → 415, cross-origin → 403, 32 concurrent POSTs → exactly 30 processed then 429, legitimate editor review unchanged).
Install
Deploy page-audit-1.3.0.jar via the Jahia module manager (Jahia 8.2+), enable the module on the target site(s). Optional AI review requires org.jahia.se.modules.pageaudit.cfg (provider, model, API key).
See CHANGELOG.md for full history.