hzhang
801a63f8bb
fix(security): close critical auth/SSRF/RBAC holes
Verified locally end-to-end (before: exploitable, after: blocked).
- config: refuse to start on weak/default/short SECRET_KEY (was
trivially forgeable JWT -> full admin)
- deps: add reusable require_admin dependency (JWT or API key)
- api-keys: require admin to mint/list/revoke; mask key on list
(was unauthenticated -> instant admin API key)
- webhooks: whole router now admin-only (was fully unauthenticated
CRUD + readable logs)
- webhook delivery: validate URL scheme + reject hosts resolving to
private/loopback/link-local/reserved IPs; disable redirects
(was a readable SSRF primitive)
- rbac: implement a real project-role hierarchy in check_project_role
(was a no-op: any member, even guest, passed admin/mgr gates)
- misc: auth on delete_milestone (+ensure_can_edit_milestone),
worklog create/delete (force caller user_id, owner-only delete),
/activity and /export/tasks (were unauthenticated data exposure)
- tasks: auth + ensure_can_edit_task on assign_task and batch_assign
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-16 16:53:14 +01:00
..
2026-02-21 08:25:37 +00:00
2026-02-27 09:39:39 +00:00
2026-03-31 23:01:47 +00:00
2026-04-01 04:18:44 +00:00
2026-03-11 12:51:54 +00:00
2026-03-17 18:02:08 +00:00
2026-04-04 21:03:48 +00:00
2026-03-30 06:16:01 +00:00
2026-04-04 21:03:48 +00:00
2026-03-31 04:16:50 +00:00
2026-03-20 10:03:56 +00:00
2026-03-31 01:17:54 +00:00
2026-03-30 23:47:07 +00:00
2026-04-01 02:49:30 +00:00
2026-03-31 04:16:50 +00:00
2026-05-16 16:53:14 +01:00