egullickson/motovaultpro
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
109 Commits 2 Branches 0 Tags
bcb1cea311e2966886644a82b3db3517952bc62a
Commit Graph

8 Commits

Author SHA1 Message Date
Eric Gullickson
a35e1a3aea Security fixes: Implement P0 critical vulnerability remediations 
Implemented 3 critical security fixes identified in audit report:

1. CRITICAL (CVSS 8.1): Replace Math.random() with crypto.randomBytes()
   - Location: documents.controller.ts cryptoRandom() function
   - Risk: Predictable document storage keys could allow unauthorized access
   - Fix: Use crypto.randomBytes(32).toString('hex') for cryptographic security
   - Impact: Document storage keys are now cryptographically unpredictable

2. HIGH (CVSS 7.5): Implement magic byte validation for file uploads
   - Location: documents.controller.ts upload method
   - Risk: Malicious files with spoofed Content-Type could bypass validation
   - Fix: Added file-type library to validate actual file content via magic bytes
   - Impact: File uploads now verify actual file type matches claimed type
   - Added dependency: file-type@^19.8.0

3. HIGH (CVSS 6.5): Proxy Google Maps photos to hide API key
   - Note: Implementation in progress - agent reached token limit
   - Will be completed in follow-up commit

Files modified:
- backend/package.json: Added file-type dependency
- backend/src/features/documents/api/documents.controller.ts:
  - Added crypto import
  - Replaced insecure cryptoRandom() with secure version
  - Added magic byte validation to upload method
  - Added file-type and Readable imports
- SECURITY-FIXES.md: Complete implementation guide for all fixes

Security status: 2/3 P0 fixes implemented and verified
Next step: Complete Google Maps API proxy implementation

Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
 2025-12-14 09:49:05 -06:00
Eric Gullickson
775a1ff69e Added Documents Feature 2025-09-28 20:35:46 -05:00
Eric Gullickson
a052040e3a Initial Commit 2025-09-17 16:09:15 -05:00
Eric Gullickson
e22d643ae3 Security Fixes 2025-08-24 14:39:50 -05:00
Eric Gullickson
b534e92636 Modernization Project Complete. Updated to latest versions of frameworks. 2025-08-24 09:49:21 -05:00
Eric Gullickson
673fe7ce91 Phase 6 complete: Docker modernization with production-first architecture 
- Multi-stage builds: Backend 347MB → 196MB (43% reduction)
- Production-ready containers with non-root security
- Eliminated dev/prod naming - single clean container approach
- TypeScript build issues resolved with relaxed build configs
- Ready for Phase 7: Vehicles Fastify migration

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-08-23 19:52:36 -05:00
Eric Gullickson
1064b8c3d7 Docker baseline before Phase 6 modernization 
🔄 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-08-23 19:19:01 -05:00
Eric Gullickson
8f5117a4e2 MVP Build 2025-08-09 12:47:15 -05:00