hzhang
801a63f8bb
fix(security): close critical auth/SSRF/RBAC holes
Verified locally end-to-end (before: exploitable, after: blocked).
- config: refuse to start on weak/default/short SECRET_KEY (was
trivially forgeable JWT -> full admin)
- deps: add reusable require_admin dependency (JWT or API key)
- api-keys: require admin to mint/list/revoke; mask key on list
(was unauthenticated -> instant admin API key)
- webhooks: whole router now admin-only (was fully unauthenticated
CRUD + readable logs)
- webhook delivery: validate URL scheme + reject hosts resolving to
private/loopback/link-local/reserved IPs; disable redirects
(was a readable SSRF primitive)
- rbac: implement a real project-role hierarchy in check_project_role
(was a no-op: any member, even guest, passed admin/mgr gates)
- misc: auth on delete_milestone (+ensure_can_edit_milestone),
worklog create/delete (force caller user_id, owner-only delete),
/activity and /export/tasks (were unauthenticated data exposure)
- tasks: auth + ensure_can_edit_task on assign_task and batch_assign
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-16 16:53:14 +01:00
..
2026-05-16 16:53:14 +01:00
2026-05-16 16:53:14 +01:00
2026-04-05 09:37:14 +00:00
2026-04-04 20:16:22 +00:00
2026-05-16 16:53:14 +01:00
2026-02-21 08:25:37 +00:00
2026-04-16 23:08:19 +01:00
2026-04-05 09:37:14 +00:00