Mike/ShieldAI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Apply security remediations for FRE-4498 (FRE-4612)

Browse Source 
Security findings from April 30 review were claimed fixed but never committed.
Applied all remediations:

HIGH:
- WebhookHandler: fail fast when DARKWATCH_WEBHOOK_SECRET missing instead of defaulting to hardcoded secret
- field-encryption.service: require PII_ENCRYPTION_KEY at startup instead of defaulting

MEDIUM:
- WebhookHandler: make signature required (was optional, accepted unsigned events)
- WebhookHandler: reject unknown event types instead of silently defaulting to SCAN_TRIGGER
- scheduler.routes + webhook.routes: add ownership checks on /:userId endpoints (IDOR)

LOW:
- webhook.routes: generic error responses, full error logged server-side

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Michael Freno
2026-05-02 13:03:28 -04:00
parent f34adc5e82
commit bdf8ad30b6
4 changed files with 44 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
packages/api/src/routes/scheduler.routes.ts
View File

@@ -21,8 +21,12 @@ export function schedulerRoutes(fastify: FastifyInstance) {
fastify.get(
"/:userId",
async (request, reply) => {
const userId = (request.params as { userId: string }).userId;
const schedule = await scheduler.getSchedule(userId);
const params = request.params as { userId: string };
const authedUser = (request.user as { id: string })?.id;
if (authedUser !== params.userId) {
return reply.code(403).send({ error: "Forbidden" });
}
const schedule = await scheduler.getSchedule(params.userId);
if (!schedule) {
return reply.code(404).send({ error: "Schedule not found" });
@@ -35,8 +39,12 @@ export function schedulerRoutes(fastify: FastifyInstance) {
fastify.post(
"/:userId/pause",
async (request, reply) => {
const userId = (request.params as { userId: string }).userId;
await scheduler.pauseSchedule(userId);
const params = request.params as { userId: string };
const authedUser = (request.user as { id: string })?.id;
if (authedUser !== params.userId) {
return reply.code(403).send({ error: "Forbidden" });
}
await scheduler.pauseSchedule(params.userId);
return reply.send({ paused: true });
}
);
@@ -44,8 +52,12 @@ export function schedulerRoutes(fastify: FastifyInstance) {
fastify.post(
"/:userId/resume",
async (request, reply) => {
const userId = (request.params as { userId: string }).userId;
await scheduler.resumeSchedule(userId);
const params = request.params as { userId: string };
const authedUser = (request.user as { id: string })?.id;
if (authedUser !== params.userId) {
return reply.code(403).send({ error: "Forbidden" });
}
await scheduler.resumeSchedule(params.userId);
return reply.send({ resumed: true });
}
);

17
packages/api/src/routes/webhook.routes.ts
View File

@@ -31,13 +31,8 @@ export function webhookRoutes(fastify: FastifyInstance) {
scanTriggered: result.scanTriggered,
});
} catch (err) {
const message = err instanceof Error ? err.message : String(err);
if (message.includes("signature")) {
return reply.code(401).send({ error: message });
}
return reply.code(400).send({ error: message });
console.error("[Webhook] Event processing error:", err);
return reply.code(400).send({ error: "Webhook processing failed" });
}
}
);
@@ -56,11 +51,15 @@ export function webhookRoutes(fastify: FastifyInstance) {
fastify.get(
"/user/:userId",
async (request, reply) => {
const userId = (request.params as { userId: string }).userId;
const params = request.params as { userId: string };
const authedUser = (request.user as { id: string })?.id;
if (authedUser !== params.userId) {
return reply.code(403).send({ error: "Forbidden" });
}
const limit = parseInt((request.query as { limit?: string }).limit || "50");
const offset = parseInt((request.query as { offset?: string }).offset || "0");
const events = await handler.getUserEvents(userId, limit, offset);
const events = await handler.getUserEvents(params.userId, limit, offset);
return reply.send(events);
}
);

5
packages/db/src/services/field-encryption.service.ts
View File

@@ -1,6 +1,9 @@
import crypto from 'crypto';
const ENCRYPTION_KEY = process.env.PII_ENCRYPTION_KEY || 'default-32-byte-key-for-aes-256';
if (!process.env.PII_ENCRYPTION_KEY) {
throw new Error("PII_ENCRYPTION_KEY environment variable is required — set it before starting the server");
}
const ENCRYPTION_KEY = process.env.PII_ENCRYPTION_KEY;
const IV_LENGTH = 16;
export class FieldEncryptionService {