Skip to content

fix(security): harden dashboard api surface (sec-api-01..11)#42

Open
Abdulkhalek-1 wants to merge 2 commits intomainfrom
fix/security-api-2026-04-07
Open

fix(security): harden dashboard api surface (sec-api-01..11)#42
Abdulkhalek-1 wants to merge 2 commits intomainfrom
fix/security-api-2026-04-07

Conversation

@Abdulkhalek-1
Copy link
Copy Markdown
Collaborator

@Abdulkhalek-1 Abdulkhalek-1 commented Apr 7, 2026

Summary

Implements 11 security hardening plans for the dashboard REST API.

# Plan Fix
01 permission-grant-escalation Block self-grant + wildcard/literal permission escalation
02 audit-log-userid-enumeration Non-owners can only query audit entries for themselves
03 audit-log-date-validation Validate from/to dates, reject NaN with 400
04 resource-creation-rate-limits Per-user rate limits (10/min) on music/commands/giveaways POST
05 welcome-image-magic-byte-validation Decode base64 and verify PNG/JPEG/WebP magic bytes match declared type
06 cron-preview-dos Rate limit 5/10s + 250ms wall-clock budget on cron preview
07 custom-command-redos Reject unsafe regex via `safe-regex` for ReDoS protection
08 permission-error-leak Drop permission key from 403 responses
09 audit-action-exact-match Replace substring filter with exact allowlist
10 image-preview-nosniff Add `X-Content-Type-Options: nosniff` defense-in-depth
11 actions-update-error-mask Distinguish Prisma P2025 from 500s, log server errors

Changes

  • 8 source files in `apps/dashboard/src/server/features/`
  • 9 test files (8 new + 1 fixture update in `welcome.test.ts`)
  • Adds `safe-regex` + `@types/safe-regex` dependencies

Test plan

  • `pnpm --filter @fluxcore/dashboard typecheck` — clean
  • `pnpm --filter @fluxcore/dashboard test` — 305 pass / 15 pre-existing baseline failures (unrelated, same as `main`)
  • 49 new tests across the 9 target files all pass
  • Manual smoke test of permissions PUT endpoint
  • Manual smoke test of welcome image upload with varied payloads
  • Verify rate limits in staging (music/commands/giveaways/cron-preview)

🤖 Generated with Claude Code

@Abdulkhalek-1
docs(security): add api hardening plans
2f5769e
@Abdulkhalek-1
fix(security): harden dashboard api surface (sec-api-01..11)
aca93d7 
Implements 11 security hardening plans for the dashboard REST API:

- sec-api-01: block self-grant and wildcard permission escalation
- sec-api-02: restrict audit log userId filter to self for non-owners
- sec-api-03: validate audit log date range query parameters
- sec-api-04: add per-user rate limits to music/commands/giveaways creation
- sec-api-05: magic-byte validation for welcome background image uploads
- sec-api-06: rate limit + 250ms budget on cron preview endpoint
- sec-api-07: reject unsafe regex (ReDoS) in custom command creation
- sec-api-08: drop permission key from 403 error responses
- sec-api-09: exact-match allowlist for audit action filter
- sec-api-10: add X-Content-Type-Options nosniff to image preview
- sec-api-11: distinguish Prisma P2025 from 500s in actions rule update

Adds safe-regex dependency. Includes 49 new tests across 9 files
covering each hardening. Typecheck clean; no new regressions.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Abdulkhalek-1