Rolfsvaag_Datateknikk/Lumi
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11e5a4e6f8
Lumi/security-audit-findings.json
Franz Rolfsvaag 11e5a4e6f8 Initial sanitized import
2026-05-30 20:37:42 +02:00

63 lines
2.3 KiB
JSON
Raw Blame History

[
{
"id": "LUMI-001",
"severity": "High",
"title": "Missing CSRF protection on state-changing routes",
"affected": [
"/admin/*",
"/profile/*",
"/auth/logout"
],
"evidence": "No CSRF middleware in src/web/server.js; POST routes rely solely on session cookies.",
"impact": "Logged-in admins can be tricked into executing sensitive actions (plugin install/update, settings changes, restart).",
"fix": "Add CSRF tokens or Origin/Referer checks and set SameSite cookies."
},
{
"id": "LUMI-002",
"severity": "Medium",
"title": "Session cookie missing Secure and SameSite",
"affected": [
"/"
],
"evidence": "Set-Cookie: connect.sid=...; Path=/; HttpOnly (no Secure/SameSite)",
"impact": "Session cookie may be sent over HTTP or cross-site requests; increases CSRF/session hijack risk.",
"fix": "Configure express-session cookie options with Secure and SameSite=Lax; set trust proxy behind TLS."
},
{
"id": "LUMI-003",
"severity": "Medium",
"title": "Session fixation risk after OAuth login",
"affected": [
"/auth/discord/callback",
"/auth/twitch/callback"
],
"evidence": "Session is populated without regeneration in src/web/server.js (req.session.user set directly).",
"impact": "An attacker who can set a session ID before login could reuse it after the victim authenticates.",
"fix": "Call req.session.regenerate() before setting authenticated session data."
},
{
"id": "LUMI-004",
"severity": "Medium",
"title": "Plugin route role not enforced",
"affected": [
"/plugins/sample-plugin",
"/plugins/*"
],
"evidence": "web.mount uses app.use without role guard; sample plugin labeled admin is accessible publicly.",
"impact": "Plugin pages intended for admins can be reachable by unauthenticated users.",
"fix": "Enforce navItem.role in web.mount with requireRole(role)."
},
{
"id": "LUMI-005",
"severity": "Low",
"title": "Missing baseline security headers",
"affected": [
"/",
"/commands",
"/leaderboards"
],
"evidence": "No CSP/XFO/XCTO/Referrer-Policy/Permissions-Policy headers; X-Powered-By present.",
"impact": "Increases exposure to clickjacking/XSS/mime sniffing and framework fingerprinting.",
"fix": "Use helmet and disable x-powered-by."
}
]
Reference in New Issue View Git Blame Copy Permalink