fix(security): remediate audit findings#15
Merged
Conversation
## Summary - harden fee sponsorship, proof metadata, CSP, amount parsing, opportunity escrow, and docs drift from the security findings pass - add focused frontend, Playwright, and Soroban contract coverage for the remediated behavior ## Changes Made ### Fee Sponsorship - disable public browser auto-sponsorship by default and require server bearer authorization - validate sponsored XDR size, network, source, op count, fee ceiling, configured contract, and method allowlist ### Proof Integrity and XSS - add nonce-based CSP middleware, escaped JSON-LD, URL sanitizers, safe metadata fetch bounds, and status-derived proof claims - prevent missing or non-verified proofs from making verified, payment-settled, or completed-work claims ### Contract and Amount Safety - cap opportunity milestones at 24 and allow employer refund from submitted state - replace float amount parsing with strict exact decimal scaling and fix u64 opportunity IDs ### Workflow and Docs - pin Stellar release workflow to an immutable SHA and narrow permissions - align env/docs/security notes with the hardened behavior and current contract state ## Why - closes the CSV security findings as one coordinated hardening pass and keeps proof trust claims tied to verified on-chain state ## Notes for Reviewers - verified with cargo test, frontend unit tests, lint, build, Playwright E2E, and git diff --check
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Owner
Author
|
@codex please review this security remediation PR. |
## Summary - enable allowImportingTsExtensions so CI typecheck accepts the Node strip-types test imports ## Changes Made ### Typecheck - update frontend tsconfig to match the .ts import style used by the new unit tests ## Why - GitHub Actions failed at npx tsc --noEmit because test files import local modules with explicit .ts extensions ## Notes for Reviewers - locally verified npx tsc --noEmit --incremental false --pretty false, npm run test:unit, npm run lint, and git diff --check
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Pass sponsor auth token when client sponsorship is enabled
When NEXT_PUBLIC_FEE_SPONSOR_CLIENT_ENABLED=1 and a sponsor address is configured, signAndSubmit calls requestFeeBump(signedXdr) without the required bearer token. requestFeeBump now throws immediately for missing authorization, and that exception is swallowed, so gasless mode silently never activates even when the client-side sponsorship flag is enabled.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
## Summary - tighten proof metadata URL validation and private host filtering - keep opportunity IDs lossless through frontend routing and contract calls - remove misleading browser fee-sponsor auto toggle and update docs ## Changes Made ### URL and SSRF Hardening - require HTTPS for external proof metadata/evidence URLs - block IPv4-mapped IPv6 loopback/private hostnames ### Opportunity IDs - add shared opportunity ID normalization that preserves string and bigint values - use lossless IDs for opportunity pages, records, and u64 contract calls ### Fee Sponsorship - keep fee bump as explicit server-authorized flow and remove public client auto-sponsor config ## Why - resolves ChatGPT Codex connector comments on PR #15 before merge ## Notes for Reviewers - verified with unit tests, typecheck, lint, build, E2E, and git diff --check
Owner
Author
|
@codex closeout update: Fixed and shipped the proof preview data-binding issue.
What changed:
Verification:
|
|
Acknowledged — based on your @codex closeout update trigger and PR context, no additional code changes are required from me at this point. I validated that the referenced fix commit is present on the current branch:
The log includes:
Since there were no new local changes to commit, I did not create another commit and did not call |
Owner
Author
|
@codex closeout update for the two follow-up findings: Fixed and shipped:
Commits:
Production:
Verification:
|
|
Acknowledged — based on this new closeout update and the PR context, I did not make additional code changes. I verified the branch already contains the two shipped follow-up commits you listed:
Because there were no new local edits to apply, I did not create a new commit and did not open a follow-up PR. Checks run
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
harden fee sponsorship, proof metadata, CSP, amount parsing, opportunity escrow, and docs drift from the security findings pass
add focused frontend, Playwright, and Soroban contract coverage for the remediated behavior
Changes Made
Fee Sponsorship
disable public browser auto-sponsorship by default and require server bearer authorization
validate sponsored XDR size, network, source, op count, fee ceiling, configured contract, and method allowlist
Proof Integrity and XSS
add nonce-based CSP middleware, escaped JSON-LD, URL sanitizers, safe metadata fetch bounds, and status-derived proof claims
prevent missing or non-verified proofs from making verified, payment-settled, or completed-work claims
Contract and Amount Safety
cap opportunity milestones at 24 and allow employer refund from submitted state
replace float amount parsing with strict exact decimal scaling and fix u64 opportunity IDs
Workflow and Docs
pin Stellar release workflow to an immutable SHA and narrow permissions
align env/docs/security notes with the hardened behavior and current contract state
Why
Notes for Reviewers
Note
Medium Risk
Modifies on-chain Soroban contract escrow state rules (
create_opportunityvalidation andrefund_opportunitytransitions), which can affect fund flows and requires careful review/testing despite added coverage.Overview
Hardens the Soroban opportunity-escrow flow by capping
milestone_count(max 24) duringcreate_opportunityand allowing employers torefund_opportunityeven after a candidate has moved the opportunity intoSubmitted, preventing escrow lock-in.Expands the contract test suite (now 12 tests) with new coverage and snapshot fixtures for the milestone cap and the new refund transition, and updates documentation to reflect the updated error variant count, escrow behavior, and current contract baseline.
Tightens the GitHub release workflow by moving permissions to the job scope and pinning the reusable
soroban-build-workflowreference to an immutable commit SHA.Reviewed by Cursor Bugbot for commit c62e346. Bugbot is set up for automated code reviews on this repo. Configure here.