Patrick/medassist-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: fix CodeQL vulnerabilities (SSRF, XSS, rate limiting)

Browse Source 
- Add URL validation to prevent SSRF attacks on notification endpoints
  - Block private IPs (10.x, 172.16-31.x, 192.168.x, 169.254.x)
  - Block localhost and internal hostnames
  - Only allow HTTP/HTTPS protocols
- Add HTML escaping for medication names in email templates (XSS)
- Add stricter rate limiting for auth routes (5 req/15min for login/register)
- Add SSRF protection tests (405 tests total)
This commit is contained in:
Daniel Volz
2025-12-30 11:52:00 +01:00
parent b5e12c7a95
commit cb1810586d
6 changed files with 138 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/package.json
+1 -1
View File
@@ -18,7 +18,7 @@
"@fastify/helmet": "^13.0.2",
"@fastify/jwt": "^10.0.0",
"@fastify/multipart": "^9.3.0",
"@fastify/rate-limit": "^10.1.0",
"@fastify/rate-limit": "^10.3.0",
"@fastify/sensible": "^6.0.4",
"@fastify/static": "^8.3.0",
"@libsql/client": "^0.10.0",