Security Fixes
Objective: Remediate all 11 confirmed security findings from the piolium balanced audit (1 HIGH, 10 MEDIUM).
Status legend: [ ] todo, [~] in-progress, [x] done
Tasks
- 01 — Fix stored XSS via unsanitized innerHTML in blog rendering →
01-fix-stored-xss-blog-rendering.md - 02 — Fix SSRF via Puppeteer --no-sandbox in report generation →
02-fix-puppeteer-ssrf-report-gen.md - 03 — Fix open redirect via unvalidated return URL in Stripe checkout →
03-fix-open-redirect-stripe-return-url.md - 04 — Fix rate limit bypass via incomplete sensitive path list →
04-fix-rate-limit-substring-bypass.md - 05 — Fix CORS origin trust from unvalidated APP_URL env var →
05-fix-cors-origin-env-var-validation.md - 06 — Fix webhook type coercion bypassing TypeScript safety →
06-fix-webhook-type-coercion.md - 07 — Fix webhook replay via missing event ID deduplication →
07-fix-webhook-replay-missing-dedup.md - 08 — Fix WebSocket JWT leakage via query parameter →
08-fix-websocket-jwt-query-param-leak.md - 09 — Fix WebSocket no Origin header validation →
09-fix-websocket-origin-validation.md - 10 — Fix VoicePrint resource exhaustion via unbounded audio upload →
10-fix-voiceprint-resource-exhaustion.md - 11 — Fix browser extension vulnerable dependency (superjson CVE-2022-23631) →
11-fix-browser-ext-superjson-cve.md
Dependencies
- 07 depends on 06 (webhook type coercion fix shares billing.service.ts; dedup needs validated data shapes)
- 09 depends on 08 (WebSocket JWT header auth is the prerequisite for Origin validation to be meaningful)
Exit criteria
- The feature is complete when all 11 findings have been remediated, each wit passing tests, and no regression is introduced to the existing codebase.