k1nq/TREK

Fork 0

mirror of https://github.com/mauriceboe/TREK.git synced 2026-06-19 13:21:46 +00:00

Commit Graph

Author	SHA1	Message	Date
Julien G.	e7b419d397	security: login timing enumeration fix + dep CVE patches (v3.0.18) (#984 ) * fix(security): equalise login response timing to prevent user enumeration (CWE-208) Always run bcrypt.compareSync regardless of whether the email exists, using a module-scope DUMMY_PASSWORD_HASH for unknown/OIDC-only accounts. Also wraps the login handler in a 350ms minimum-latency pad (matching /forgot-password) as defence-in-depth against CPU jitter and future code-path drift. Fixes: CWE-203, CWE-208 — Observable Timing Discrepancy (CVSS 5.3 Medium) * chore(deps): patch hono/picomatch/ip-address/brace-expansion CVEs, bump to node:24-alpine Extends server/package.json overrides to pin hono >=4.12.16, picomatch >=4.0.4, brace-expansion >=2.0.3, ip-address >=10.1.1. Adds matching overrides to client/. Lockfiles regenerated to resolve: hono 4.12.18, ip-address 10.2.0, picomatch 4.0.4. Also bumps base image node:22-alpine -> node:24-alpine (reduces base image CVEs) and adds .github/workflows/security.yml to gate PRs on critical/high CVEs via Docker Scout. Addresses: CVE-2026-44456, CVE-2026-44455 (hono), CVE-2026-42338 (ip-address), CVE-2026-33671, CVE-2026-33672 (picomatch), CVE-2026-33750 (brace-expansion) * chore: update emails in security.md * ci(security): use docker/login-action for Scout auth instead of env vars * chore: regenerate lock files * chore: correct secret names * chore: pr perms write * fix(docker): remove package-lock.json from production image after npm ci Docker Scout reads package-lock.json as an SBOM source and reports all lockfile entries including devDependencies (e.g. picomatch via vitest/vite) even when they are not physically installed. The lockfile has no runtime purpose after npm ci completes, so delete it to ensure Scout only reports packages actually present in node_modules. * fix(docker): remove npm CLI from production image to eliminate bundled CVEs picomatch@4.0.3, brace-expansion@5.0.4, and ip-address@10.1.0 were all coming from /usr/local/lib/node_modules/npm — npm's own bundled packages shipped with node:24-alpine. The production container only needs the node binary to run the server; npm is unused at runtime. Removing npm + npx after npm ci drops the package count from 500 to 365 and eliminates all npm-ecosystem CVEs (0H 0M remaining from npm packages). Only busybox CVE-2025-60876 remains, which has no fix in Alpine 3.23. * fix(deps): remove client overrides and brace-expansion server override; audit fix brace-expansion ^2.0.3 in the client forced all installations to v2, breaking minimatch in CI (test:coverage path via @vitest/coverage-v8 -> test-exclude) which expects the named-export API of brace-expansion v5. The CVE it targeted (>=4.0.0,<5.0.5) was only in npm's own bundled packages, already eliminated by removing npm from the Docker image. Also removes picomatch and ip-address client overrides for the same reason: all three CVEs sourced from /usr/local/lib/node_modules/npm/, not app deps. Drops brace-expansion from server overrides (server uses v2.1.0, outside the affected range >=4.0.0). * fix(#981): align public share itinerary order with daily planner (#985) The public share page rendered daily items in a different order than the authenticated planner because it used a simplified, divergent merge algorithm. Five specific bugs: 1. shareService never loaded reservation_day_positions, so per-day transport positions were lost on the share page (fell back to day_plan_position ?? 999, pushing transports to the bottom). 2. Multi-day transports (overnight trains/flights) only appeared on their start day due to date-string filtering instead of day_id span logic. 3. Assignment-linked transports appeared twice (once as place, once as transport card) because the assignment_id exclusion was missing. 4. Time-based transport insertion was absent; missing positions used 999 instead of a computed fractional position from the place timeline. 5. created_at tiebreaker was missing for assignments and notes with equal order_index/sort_order, making order non-deterministic on the share page. Fix: extract the authoritative merge logic (parseTimeToMinutes, getSpanPhase, getDisplayTimeForDay, getTransportForDay, getMergedItems) from DayPlanSidebar into client/src/utils/dayMerge.ts and use it in both the planner and SharedTripPage. Enrich the shareService payload with day_positions from reservation_day_positions and add created_at tiebreakers to the assignment and day_notes ORDER BY clauses. * fix(#983): shift owner vacay entries when update_trip moves trip window updateTrip() now calls shiftOwnerEntriesForTripWindow() which looks up the owner's own vacay plan (not the active plan) and shifts all entries in the old date window by the same offset as the trip start date.	2026-05-10 16:03:15 +02:00
jubnl	b4922322ae	test: expand test suite to 87.3% backend coverage Add new integration test files covering previously untested routes: - categories.test.ts — GET /api/categories - oidc.test.ts — full OIDC login flow (callback, state, errors) - settings.test.ts — GET/PUT /api/settings, bulk save - tags.test.ts — CRUD for trip tags - todo.test.ts — todo items CRUD and reorder Add new unit test files covering service-layer logic: - adminService.test.ts — user/invite management, packing templates, OIDC settings - atlasService.test.ts — atlas search and place enrichment - authServiceDb.test.ts — DB-backed auth helpers (login, register, MFA) - backupService.test.ts — export/import/restore logic - categoryService.test.ts — category CRUD - dayService.test.ts — day management and accommodation helpers - mapsService.test.ts — route/directions helpers - oidcService.test.ts — OIDC state, auth code, role resolution, user upsert - packingService.test.ts — packing item/bag/template operations - placeService.test.ts — place CRUD and tag attachment - settingsService.test.ts — settings get/set/bulk - tagService.test.ts — tag CRUD - todoService.test.ts — todo CRUD and reorder - tripService.test.ts — trip CRUD, member management, archiving - vacayService.test.ts — vacay integration helpers - tripAccess.test.ts (middleware) — requireTripAccess middleware Expand existing integration and unit test files with additional cases across admin, atlas, auth, backup, collab, days, files, maps, memories (Immich/Synology), notifications, places, reservations, share, vacay, weather, auth middleware, ephemeral tokens, notification preferences, permissions, SSRF guard, and WebSocket connection tests. Update test helpers (factories.ts, test-db.ts) with new factory functions and seed data required by the expanded suite. Fix minor issues in server/src/routes/reservations.ts and server/src/services/atlasService.ts surfaced by new test coverage. Update sonar-project.properties to reflect new coverage thresholds.	2026-04-06 20:08:30 +02:00
Julien G.	905c7d460b	Add comprehensive backend test suite (#339 ) * add test suite, mostly covers integration testing, tests are only backend side * workflow runs the correct script * workflow runs the correct script * workflow runs the correct script * unit tests incoming * Fix multer silent rejections and error handler info leak - Revert cb(null, false) to cb(new Error(...)) in auth.ts, collab.ts, and files.ts so invalid uploads return an error instead of silently dropping the file - Error handler in app.ts now always returns 500 / "Internal server error" instead of forwarding err.message to the client * Use statusCode consistently for multer errors and error handler - Error handler in app.ts reads err.statusCode to forward the correct HTTP status while keeping the response body generic	2026-04-03 13:17:53 +02:00

Author

SHA1

Message

Date

Julien G.

e7b419d397

security: login timing enumeration fix + dep CVE patches (v3.0.18) (#984 )

* fix(security): equalise login response timing to prevent user enumeration (CWE-208)

Always run bcrypt.compareSync regardless of whether the email exists, using a
module-scope DUMMY_PASSWORD_HASH for unknown/OIDC-only accounts. Also wraps the
login handler in a 350ms minimum-latency pad (matching /forgot-password) as
defence-in-depth against CPU jitter and future code-path drift.

Fixes: CWE-203, CWE-208 — Observable Timing Discrepancy (CVSS 5.3 Medium)

* chore(deps): patch hono/picomatch/ip-address/brace-expansion CVEs, bump to node:24-alpine

Extends server/package.json overrides to pin hono >=4.12.16, picomatch >=4.0.4,
brace-expansion >=2.0.3, ip-address >=10.1.1. Adds matching overrides to client/.
Lockfiles regenerated to resolve: hono 4.12.18, ip-address 10.2.0, picomatch 4.0.4.

Also bumps base image node:22-alpine -> node:24-alpine (reduces base image CVEs)
and adds .github/workflows/security.yml to gate PRs on critical/high CVEs via
Docker Scout.

Addresses: CVE-2026-44456, CVE-2026-44455 (hono), CVE-2026-42338 (ip-address),
           CVE-2026-33671, CVE-2026-33672 (picomatch), CVE-2026-33750 (brace-expansion)

* chore: update emails in security.md

* ci(security): use docker/login-action for Scout auth instead of env vars

* chore: regenerate lock files

* chore: correct secret names

* chore: pr perms write

* fix(docker): remove package-lock.json from production image after npm ci

Docker Scout reads package-lock.json as an SBOM source and reports all
lockfile entries including devDependencies (e.g. picomatch via vitest/vite)
even when they are not physically installed. The lockfile has no runtime
purpose after npm ci completes, so delete it to ensure Scout only reports
packages actually present in node_modules.

* fix(docker): remove npm CLI from production image to eliminate bundled CVEs

picomatch@4.0.3, brace-expansion@5.0.4, and ip-address@10.1.0 were all
coming from /usr/local/lib/node_modules/npm — npm's own bundled packages
shipped with node:24-alpine. The production container only needs the node
binary to run the server; npm is unused at runtime.

Removing npm + npx after npm ci drops the package count from 500 to 365
and eliminates all npm-ecosystem CVEs (0H 0M remaining from npm packages).
Only busybox CVE-2025-60876 remains, which has no fix in Alpine 3.23.

* fix(deps): remove client overrides and brace-expansion server override; audit fix

brace-expansion ^2.0.3 in the client forced all installations to v2, breaking
minimatch in CI (test:coverage path via @vitest/coverage-v8 -> test-exclude)
which expects the named-export API of brace-expansion v5. The CVE it targeted
(>=4.0.0,<5.0.5) was only in npm's own bundled packages, already eliminated
by removing npm from the Docker image.

Also removes picomatch and ip-address client overrides for the same reason:
all three CVEs sourced from /usr/local/lib/node_modules/npm/, not app deps.
Drops brace-expansion from server overrides (server uses v2.1.0, outside the
affected range >=4.0.0).

* fix(#981): align public share itinerary order with daily planner (#985)

The public share page rendered daily items in a different order than the
authenticated planner because it used a simplified, divergent merge
algorithm. Five specific bugs:

1. shareService never loaded reservation_day_positions, so per-day
   transport positions were lost on the share page (fell back to
   day_plan_position ?? 999, pushing transports to the bottom).
2. Multi-day transports (overnight trains/flights) only appeared on their
   start day due to date-string filtering instead of day_id span logic.
3. Assignment-linked transports appeared twice (once as place, once as
   transport card) because the assignment_id exclusion was missing.
4. Time-based transport insertion was absent; missing positions used 999
   instead of a computed fractional position from the place timeline.
5. created_at tiebreaker was missing for assignments and notes with equal
   order_index/sort_order, making order non-deterministic on the share page.

Fix: extract the authoritative merge logic (parseTimeToMinutes,
getSpanPhase, getDisplayTimeForDay, getTransportForDay, getMergedItems)
from DayPlanSidebar into client/src/utils/dayMerge.ts and use it in both
the planner and SharedTripPage. Enrich the shareService payload with
day_positions from reservation_day_positions and add created_at tiebreakers
to the assignment and day_notes ORDER BY clauses.

* fix(#983): shift owner vacay entries when update_trip moves trip window

updateTrip() now calls shiftOwnerEntriesForTripWindow() which looks up
the owner's own vacay plan (not the active plan) and shifts all entries
in the old date window by the same offset as the trip start date.

2026-05-10 16:03:15 +02:00

jubnl

b4922322ae

test: expand test suite to 87.3% backend coverage

Add new integration test files covering previously untested routes:
- categories.test.ts — GET /api/categories
- oidc.test.ts — full OIDC login flow (callback, state, errors)
- settings.test.ts — GET/PUT /api/settings, bulk save
- tags.test.ts — CRUD for trip tags
- todo.test.ts — todo items CRUD and reorder

Add new unit test files covering service-layer logic:
- adminService.test.ts — user/invite management, packing templates, OIDC settings
- atlasService.test.ts — atlas search and place enrichment
- authServiceDb.test.ts — DB-backed auth helpers (login, register, MFA)
- backupService.test.ts — export/import/restore logic
- categoryService.test.ts — category CRUD
- dayService.test.ts — day management and accommodation helpers
- mapsService.test.ts — route/directions helpers
- oidcService.test.ts — OIDC state, auth code, role resolution, user upsert
- packingService.test.ts — packing item/bag/template operations
- placeService.test.ts — place CRUD and tag attachment
- settingsService.test.ts — settings get/set/bulk
- tagService.test.ts — tag CRUD
- todoService.test.ts — todo CRUD and reorder
- tripService.test.ts — trip CRUD, member management, archiving
- vacayService.test.ts — vacay integration helpers
- tripAccess.test.ts (middleware) — requireTripAccess middleware

Expand existing integration and unit test files with additional cases
across admin, atlas, auth, backup, collab, days, files, maps, memories
(Immich/Synology), notifications, places, reservations, share, vacay,
weather, auth middleware, ephemeral tokens, notification preferences,
permissions, SSRF guard, and WebSocket connection tests.

Update test helpers (factories.ts, test-db.ts) with new factory
functions and seed data required by the expanded suite.

Fix minor issues in server/src/routes/reservations.ts and
server/src/services/atlasService.ts surfaced by new test coverage.

Update sonar-project.properties to reflect new coverage thresholds.

2026-04-06 20:08:30 +02:00

Julien G.

905c7d460b

Add comprehensive backend test suite (#339 )

* add test suite, mostly covers integration testing, tests are only backend side

* workflow runs the correct script

* workflow runs the correct script

* workflow runs the correct script

* unit tests incoming

* Fix multer silent rejections and error handler info leak

- Revert cb(null, false) to cb(new Error(...)) in auth.ts, collab.ts,
  and files.ts so invalid uploads return an error instead of silently
  dropping the file
- Error handler in app.ts now always returns 500 / "Internal server
  error" instead of forwarding err.message to the client

* Use statusCode consistently for multer errors and error handler

- Error handler in app.ts reads err.statusCode to forward the correct
  HTTP status while keeping the response body generic

2026-04-03 13:17:53 +02:00

3 Commits