scripte/timemaster
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: N-1 uvicorn proxy-headers + N-2 Token-Reuse-Detection + N-3 XSS-Audit + N-4 Token-URL-Fragment + N-5 pip-audit CI
Security Audit / Python Dependency Audit (push) Has been cancelled
Details
Security Audit / Node.js Dependency Audit (push) Has been cancelled
Details

Browse Source 
N-1: uvicorn --proxy-headers --forwarded-allow-ips=127.0.0.1
- timemaster.service: proxy-headers Flag gesetzt (beide Server)

N-2: Refresh-Token Re-Use-Detection
- auth_service.py: verbrauchter Token-Hash 48h in Redis (burned_token:<hash>)
- Bei erneutem Einsatz: alle Sessions invalidieren + AuditLog + HTTP 401

N-3: dangerouslySetInnerHTML-Audit
- Kein Vorkommen im Frontend gefunden — sauber

N-4: Reset/Invite-Token als URL-Fragment statt Query-Parameter
- email_service.py: ?token= → # (Fragment wird nicht in Referer gesendet)
- ResetPasswordPage.tsx: useSearchParams → window.location.hash.slice(1)
- Token-Lebensdauern geprüft: Reset 1h, Invite 7d — OK

N-5: Gitea CI Security-Workflow
- .gitea/workflows/security.yml: pip-audit + npm audit
- Trigger: push/PR auf main + wöchentlich montags

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
patrick
2026-05-26 12:55:41 +02:00
parent 4dc69137dd
commit f2e997475e
6 changed files with 160 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/security.yml
+56
View File
@@ -0,0 +1,56 @@
name: Security Audit
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: '0 6 * * 1' # Jeden Montag 06:00 UTC
jobs:
pip-audit:
name: Python Dependency Audit
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.12'
- name: Install pip-audit
run: pip install pip-audit
- name: Run pip-audit
run: |
cd backend
pip-audit -r requirements.txt --format json --output pip-audit-report.json || true
pip-audit -r requirements.txt
continue-on-error: true # Nicht blockieren, aber anzeigen
- name: Upload audit report
if: always()
uses: actions/upload-artifact@v4
with:
name: pip-audit-report
path: backend/pip-audit-report.json
if-no-files-found: ignore
npm-audit:
name: Node.js Dependency Audit
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Run npm audit
run: |
cd frontend
npm audit --audit-level=high || true
continue-on-error: true