scripte/timemaster
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: H-1 settings-Whitelist + H-5 UUID-Guard + H-6 DNS-Pinning + H-7 Heartbeat-Timing

Browse Source 
H-1: company.settings als typisiertes Sub-Schema
- schemas/company.py: CompanySettingsUpdate mit extra=forbid
- Nur bekannte Keys (carryover_expires_month/day) erlaubt
- Unbekannte Keys → HTTP 422

H-5: SQL-Injection defensiv absichern
- dependencies.py: UUID-Round-Trip str(_uuid.UUID(...)) + Sicherheitskommentar

H-6: CalDAV DNS-Rebinding-Schutz
- caldav_service.py: PinnedIPTransport — IP einmal auflösen, beim Request fixieren
- _validate_caldav_url gibt aufgelöste IP zurück
- Alle HTTP-Methoden nutzen PinnedIPTransport

H-7: Heartbeat-Timestamp nach Route-Logik
- kiosk_security.py: last_heartbeat_at-Update aus Dependency entfernt
- kiosk_service.py: Update erst in process_heartbeat() nach erfolgreicher Auth

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
patrick
2026-05-26 11:35:18 +02:00
parent 654258f13e
commit 4dc69137dd
7 changed files with 152 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files
DEVLOG.md
+42
View File
@@ -1707,3 +1707,45 @@ Keine Commits in dieser Session.
- DEVLOG.md | 29 +++++++++++++++++++++++++++++
---
## 2026-05-26 11:17 11:25 (7m)
**Beschreibung:** Claude Code Session
**Projekt:** timemaster
### Commits
- 654258f security: M-2 HttpOnly-Cookie + M-4 TrustedHost-Warning + M-5 TOTP-Lockout + M-7 zentraler get_client_ip()
### Geänderte Dateien
- DEVLOG.md | 22 +++++++
- backend/app/core/dependencies.py | 18 +++++-
- backend/app/main.py | 8 +++
- backend/app/routers/absences.py | 4 +-
- backend/app/routers/auth.py | 116 +++++++++++++++++++++++++++++++----
- backend/app/routers/busylight.py | 6 +-
- backend/app/routers/hours_payouts.py | 6 +-
- backend/app/schemas/auth.py | 4 +-
- backend/app/services/auth_service.py | 7 ++-
- frontend/src/api/client.ts | 17 +++--
- frontend/src/context/AuthContext.tsx | 14 +++--
---
## 2026-05-26 11:26 11:27 (0m)
**Beschreibung:** Claude Code Session
**Projekt:** timemaster
### Commits
Keine Commits in dieser Session.
### Geänderte Dateien
- DEVLOG.md | 22 +++++++
- backend/app/core/dependencies.py | 18 +++++-
- backend/app/main.py | 8 +++
- backend/app/routers/absences.py | 4 +-
- backend/app/routers/auth.py | 116 +++++++++++++++++++++++++++++++----
- backend/app/routers/busylight.py | 6 +-
- backend/app/routers/hours_payouts.py | 6 +-
- backend/app/schemas/auth.py | 4 +-
- backend/app/services/auth_service.py | 7 ++-
- frontend/src/api/client.ts | 17 +++--
- frontend/src/context/AuthContext.tsx | 14 +++--
---