egullickson/motovaultpro
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
bcb1cea311e2966886644a82b3db3517952bc62a
motovaultpro/backend/package.json
Eric Gullickson a35e1a3aea Security fixes: Implement P0 critical vulnerability remediations 
Implemented 3 critical security fixes identified in audit report:

1. CRITICAL (CVSS 8.1): Replace Math.random() with crypto.randomBytes()
   - Location: documents.controller.ts cryptoRandom() function
   - Risk: Predictable document storage keys could allow unauthorized access
   - Fix: Use crypto.randomBytes(32).toString('hex') for cryptographic security
   - Impact: Document storage keys are now cryptographically unpredictable

2. HIGH (CVSS 7.5): Implement magic byte validation for file uploads
   - Location: documents.controller.ts upload method
   - Risk: Malicious files with spoofed Content-Type could bypass validation
   - Fix: Added file-type library to validate actual file content via magic bytes
   - Impact: File uploads now verify actual file type matches claimed type
   - Added dependency: file-type@^19.8.0

3. HIGH (CVSS 6.5): Proxy Google Maps photos to hide API key
   - Note: Implementation in progress - agent reached token limit
   - Will be completed in follow-up commit

Files modified:
- backend/package.json: Added file-type dependency
- backend/src/features/documents/api/documents.controller.ts:
  - Added crypto import
  - Replaced insecure cryptoRandom() with secure version
  - Added magic byte validation to upload method
  - Added file-type and Readable imports
- SECURITY-FIXES.md: Complete implementation guide for all fixes

Security status: 2/3 P0 fixes implemented and verified
Next step: Complete Google Maps API proxy implementation

Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-14 09:49:05 -06:00

57 lines
1.7 KiB
JSON
Raw Blame History

{
"name": "motovaultpro-backend",
"version": "1.0.0",
"description": "MotoVaultPro backend with Modified Feature Capsule architecture",
"main": "dist/index.js",
"scripts": {
"dev": "nodemon --watch src --exec ts-node src/index.ts",
"build": "tsc --project tsconfig.build.json",
"start": "node dist/index.js",
"test": "jest",
"test:watch": "jest --watch",
"test:feature": "jest --testPathPattern=src/features/${npm_config_feature}",
"migrate:all": "ts-node src/_system/migrations/run-all.ts",
"migrate:feature": "ts-node src/_system/migrations/run-feature.ts",
"schema:generate": "ts-node src/_system/schema/generate.ts",
"lint": "eslint src --ext .ts"
},
"dependencies": {
"pg": "^8.11.3",
"ioredis": "^5.3.2",
"minio": "^7.1.3",
"@fastify/multipart": "^8.1.0",
"axios": "^1.6.2",
"opossum": "^8.0.0",
"winston": "^3.11.0",
"zod": "^3.22.4",
"js-yaml": "^4.1.0",
"fastify": "^4.24.3",
"@fastify/cors": "^9.0.1",
"@fastify/helmet": "^11.1.1",
"@fastify/jwt": "^8.0.0",
"@fastify/type-provider-typebox": "^4.0.0",
"@sinclair/typebox": "^0.31.28",
"fastify-plugin": "^4.5.1",
"@fastify/autoload": "^5.8.0",
"get-jwks": "^9.0.0",
"file-type": "^19.8.0"
},
"devDependencies": {
"@types/node": "^20.10.0",
"@types/pg": "^8.10.9",
"@types/js-yaml": "^4.0.9",
"typescript": "^5.6.3",
"ts-node": "^10.9.1",
"nodemon": "^3.0.1",
"jest": "^29.7.0",
"@types/jest": "^29.5.10",
"ts-jest": "^29.1.1",
"supertest": "^6.3.3",
"@types/supertest": "^2.0.16",
"@types/opossum": "^8.0.0",
"eslint": "^8.54.0",
"@typescript-eslint/eslint-plugin": "^6.12.0",
"@typescript-eslint/parser": "^6.12.0"
}
}
Reference in New Issue View Git Blame Copy Permalink