Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 5c9b943aed
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if (!requestOrigin || !allowedOrigins.has(requestOrigin)) { | ||
| return res.status(403).json({ error: 'Invalid request origin' }); |
There was a problem hiding this comment.
This rejects all mutating /api requests that lack both Origin and Referer, even when the request includes a valid auth cookie and matching x-csrf-token. Non-browser clients (CLI scripts, server-side automation, webhook relays) commonly omit those headers, so this change introduces a backwards-incompatible 403 path for previously valid API calls. At minimum, this should be configurable or allow token-matched requests when origin metadata is unavailable.
Useful? React with 👍 / 👎.
| return next(); | ||
| } | ||
|
|
||
| if (!req.path.startsWith('/api') || CSRF_EXEMPT_PATHS.has(req.path)) { |
There was a problem hiding this comment.
CSRF exemptions are checked with exact string equality, so /api/auth/login/ and /api/auth/register/ are not exempt even though the app does not enable strict routing and Express will route those trailing-slash URLs to the same handlers. In that case, login/registration requests are incorrectly forced through CSRF token checks and can fail with 403, which is an avoidable regression for clients/frameworks that append trailing slashes.
Useful? React with 👍 / 👎.
1 participant
Summary
Release
1.3.2with the full phased security remediation (phases 0, 1, and 2) plus security test alignment.This includes invitation recipient binding, markdown sanitization in artifact rendering, CSRF protections, centralized upload path config, admin pagination validation hardening, and a CI dependency-audit gate.
Description
This PR finalizes the security-review remediation rollout and prepares the release metadata.
What’s included:
Security hardening delivered across phases 0-2:
Invitation token acceptance is now bound to the intended recipient.
Markdown content in dashboard/admin artifact views is sanitized before DOM rendering.
CSRF defenses were added for state-changing API requests (server middleware + client propagation).
Evidence upload path handling now uses centralized configuration.
Admin user pagination parameters are validated/clamped before querying.
Dependency vulnerability checks are enforced in CI via a security audit workflow.
Test coverage updates:
Added/updated integration and unit security tests for invitation flow, CSRF, evidence constraints, and admin pagination.
Patched
app-securitynonce expectations to match secured dashboard script behavior.Release metadata:
Version bumped from
1.3.1to1.3.2.Changelog updated with Added/Changed/Fixed entries for all security remediation work.