timemaster/.gitea/workflows/security.yml at a870ac64a545f1eaf5c532617007d9160fa6835e

scripte/timemaster

Fork 0

Files

T

patrick f2e997475e

Security Audit / Python Dependency Audit (push) Has been cancelled

Details

Security Audit / Node.js Dependency Audit (push) Has been cancelled

Details

security: N-1 uvicorn proxy-headers + N-2 Token-Reuse-Detection + N-3 XSS-Audit + N-4 Token-URL-Fragment + N-5 pip-audit CI

N-1: uvicorn --proxy-headers --forwarded-allow-ips=127.0.0.1
- timemaster.service: proxy-headers Flag gesetzt (beide Server)

N-2: Refresh-Token Re-Use-Detection
- auth_service.py: verbrauchter Token-Hash 48h in Redis (burned_token:<hash>)
- Bei erneutem Einsatz: alle Sessions invalidieren + AuditLog + HTTP 401

N-3: dangerouslySetInnerHTML-Audit
- Kein Vorkommen im Frontend gefunden — sauber

N-4: Reset/Invite-Token als URL-Fragment statt Query-Parameter
- email_service.py: ?token= → # (Fragment wird nicht in Referer gesendet)
- ResetPasswordPage.tsx: useSearchParams → window.location.hash.slice(1)
- Token-Lebensdauern geprüft: Reset 1h, Invite 7d — OK

N-5: Gitea CI Security-Workflow
- .gitea/workflows/security.yml: pip-audit + npm audit
- Trigger: push/PR auf main + wöchentlich montags

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-26 12:55:41 +02:00

57 lines

1.3 KiB

YAML

Raw Blame History

 name: Security Audit
 on:
   push:
     branches: [main]
   pull_request:
     branches: [main]
   schedule:
     - cron: '0 6 * * 1'  # Jeden Montag 06:00 UTC
 jobs:
   pip-audit:
     name: Python Dependency Audit
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
           python-version: '3.12'
       - name: Install pip-audit
         run: pip install pip-audit
       - name: Run pip-audit
         run: |
           cd backend
           pip-audit -r requirements.txt --format json --output pip-audit-report.json || true
           pip-audit -r requirements.txt
         continue-on-error: true  # Nicht blockieren, aber anzeigen
       - name: Upload audit report
         if: always()
         uses: actions/upload-artifact@v4
         with:
           name: pip-audit-report
           path: backend/pip-audit-report.json
           if-no-files-found: ignore
   npm-audit:
     name: Node.js Dependency Audit
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - name: Set up Node.js
         uses: actions/setup-node@v4
         with:
           node-version: '20'
       - name: Run npm audit
         run: |
           cd frontend
           npm audit --audit-level=high || true
         continue-on-error: true

57 lines 1.3 KiB YAML Raw Blame History

57 lines

1.3 KiB

YAML

Raw Blame History