Skip to content

Add security hardening and improve logging practices#1

Open
filipvlcekk wants to merge 2 commits intoATechAjay:mainfrom
filipvlcekk:claude/audit-bank-statement-security-rkql3
Open

Add security hardening and improve logging practices#1
filipvlcekk wants to merge 2 commits intoATechAjay:mainfrom
filipvlcekk:claude/audit-bank-statement-security-rkql3

Conversation

@filipvlcekk
Copy link
Copy Markdown

@filipvlcekk filipvlcekk commented Feb 22, 2026

Summary

This PR implements comprehensive security hardening measures and improves logging practices across the application. Key improvements include SSRF attack prevention for Ollama URLs, security headers configuration, input validation, and environment-aware logging to prevent sensitive data leakage in production.

Key Changes

Security Enhancements

  • SSRF Prevention: Added validateOllamaUrl() function to sanitize Ollama URLs, blocking private/internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16) and cloud metadata endpoints while allowing localhost
  • Security Headers: Configured Next.js to emit security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, X-DNS-Prefetch-Control)
  • Input Validation:
    • Added file size validation (50 MB limit) in FileUpload component
    • Added error handling for corrupted sessionStorage data in review page
    • Hardened XLSX parsing with disabled formula/HTML/style processing
  • URL Sanitization: Enhanced setOllamaUrl() in settings store with protocol validation and trailing slash normalization

Logging Improvements

  • Environment-Aware Logging: Created debugLog() and debugWarn() utilities that only output in development mode, preventing sensitive data leakage in production
  • Consistent Logging: Replaced all console.log() and console.warn() calls with debug utilities across PDF, CSV, XLS, and LLM parsing modules
  • Removed Sensitive State: Removed lastExtractedText global variable and getLastExtractedText() export that could expose sensitive financial data

API Endpoint Hardening

  • Applied URL validation to all LLM API endpoints (status, parse, chat routes)
  • Added graceful error handling with appropriate HTTP status codes

Dependency Cleanup

  • Removed unused dependencies: file-saver, html2canvas, jspdf, tesseract.js, rehype-raw, and their type definitions

Implementation Details

  • URL validation uses standard URL API with regex-based IP range detection
  • Debug logging respects NODE_ENV environment variable for automatic suppression in production builds
  • All validation failures are handled gracefully with user-friendly error messages
  • XLSX parsing now explicitly disables potentially expensive features for better security and performance

https://claude.ai/code/session_01VxaHB5v67Q2yhuipdHsGp6

@claude
fix: security audit — SSRF protection, headers, data leak prevention
620b2ea 
Address 10 security findings from comprehensive audit:

- [HIGH] Add SSRF protection: validate Ollama URLs in all API routes
  to block private IPs, cloud metadata endpoints, and non-http protocols
- [MEDIUM-HIGH] Add security headers (X-Frame-Options, X-Content-Type-Options,
  Referrer-Policy, Permissions-Policy) via next.config.ts
- [MEDIUM] Validate Ollama URL format in settings store before persisting
- [MEDIUM] Add 50MB file size limit to upload component
- [MEDIUM] Remove module-level state leak (lastExtractedText) in pdfParser
- [MEDIUM] Replace all console.log/warn with dev-only debugLog/debugWarn
  utility to prevent financial data exposure in production
- [LOW-MEDIUM] Add try-catch around JSON.parse in review page
- [LOW] Remove unused deps (rehype-raw, file-saver, html2canvas, jspdf,
  tesseract.js) — rehype-raw was an XSS risk if ever imported
- [LOW] Change Ollama CORS instructions from wildcard to localhost:3000
- [LOW] Disable formula/HTML/style parsing in xlsx for safer Excel handling

https://claude.ai/code/session_01VxaHB5v67Q2yhuipdHsGp6
@vercel
Copy link
Copy Markdown

vercel Bot commented Feb 22, 2026

@claude is attempting to deploy a commit to the atechajay's projects Team on Vercel.

A member of the Team first needs to authorize it.

@claude
fix: resolve lint errors introduced by security audit
31b80d4 
- Move validateAndSelectFile above useCallback hooks in FileUpload.tsx
  to fix "accessed before declaration" error, wrap it in useCallback
- Change let to const for allTransactions in parse/route.ts and llmParser.ts
- Remove unused eslint-disable directive in llmParser.ts
- Remove unused 'get' parameter in settingsStore.ts

https://claude.ai/code/session_01VxaHB5v67Q2yhuipdHsGp6
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@filipvlcekk @claude