npm - ruflo - Versions diffs - 3.6.27 → 3.6.29 - Mend

ruflo 3.6.27 → 3.6.29

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (31) hide show

package/src/ruvocal/.claude-flow/logs/headless/audit_1777949411822_juxau0_result.log ADDED Viewed

@@ -0,0 +1,67 @@
+[2026-05-05T02:50:42.274Z] RESULT
+============================================================
+{
+  "success": true,
+  "output": "```json\n{\n  \"vulnerabilities\": [\n    {\n      \"severity\": \"medium\",\n      \"file\": \".svelte-kit/adapter-node/chunks/adminToken.js\",\n      \"line\": 33,\n      \"description\": \"Admin token exposed in console logs. The token is printed to stdout via logger.info() when displayToken() is called, making it visible in server logs and potentially exposed to log aggregation services or anyone with access to server logs.\"\n    },\n    {\n      \"severity\": \"medium\",\n      \"file\": \".svelte-kit/adapter-node/chunks/adminToken.js\",\n      \"line\": 23,\n      \"description\": \"Timing attack vulnerability in token comparison. Uses simple === string comparison instead of constant-time comparison. An attacker could measure response times to guess the token byte-by-byte.\"\n    },\n    {\n      \"severity\": \"medium\",\n      \"file\": \".svelte-kit/adapter-node/chunks/auth.js\",\n      \"line\": 26,\n      \"description\": \"Unsafe JSON5 parsing of OIDC configuration. Uses JSON5.parse() which allows comments, trailing commas, and other non-standard JSON. If OPENID_CONFIG comes from user input or untrusted sources, could lead to unexpected behavior.\"\n    },\n    {\n      \"severity\": \"low\",\n      \"file\": \".svelte-kit/adapter-node/chunks/APIClient.js\",\n      \"line\": 7,\n      \"description\": \"No URL validation before URL construction. The url parameter is passed directly to 'new URL()' without validation. Malformed URLs could throw uncaught exceptions. Consider validating URLs before use.\"\n    },\n    {\n      \"severity\": \"low\",\n      \"file\": \".svelte-kit/adapter-node/chunks/auth.js\",\n      \"line\": 50,\n      \"description\": \"CLIENT_SECRET may be logged during configuration parsing. If Zod validation errors occur, the CLIENT_SECRET could potentially be included in error messages.\"\n    },\n    {\n      \"severity\": \"low\",\n      \"file\": \".svelte-kit/adapter-node/chunks/auth.js\",\n      \"line\": 61,\n      \"description\": \"Session cookie secure flag depends on ALLOW_INSECURE_COOKIES config. While there's a default to true, if config is misconfigured, cookies could be transmitted over HTTP.\"\n    }\n  ],\n  \"riskScore\": 42,\n  \"recommendations\": [\n    \"Use crypto.timingSafeEqual() for token comparison in adminTokenManager.js to prevent timing attacks\",\n    \"Remove token logging from console output. If needed for debugging, ensure logs don't persist or are properly rotated/secured\",\n    \"Validate URLs in APIClient.js before passing to new URL() constructor. Use URL.canParse() (available in Node 18.17+) or wrap in try-catch\",\n    \"Use standard JSON.parse() instead of JSON5.parse() for OIDC config, or validate the parsed config against a strict schema\",\n    \"Ensure OPENID_CONFIG is loaded from secure sources (environment variables or secure config files) and never from user input\",\n    \"Add sensitive field redaction in logging to prevent CLIENT_SECRET exposure in error logs\",\n    \"Audit and enforce that ALLOW_INSECURE_COOKIES is never 'true' in production. Consider removing this option entirely\",\n    \"Implement rate limiting on token validation endpoints to prevent brute force attacks on admin tokens\",\n    \"Add security headers (CSP, X-Frame-Options) to prevent XSS and clickjacking\",\n    \"Review OIDC token validation logic (file truncated) - ensure ID tokens are properly validated including signature verification\",\n    \"Use secure random generation for all tokens (already using uuid v4, which is good)\",\n    \"Ensure MongoDB queries use parameterized queries/object notation (appears to be done correctly, but audit NoSQL injection prevention)\"\n  ]\n}\n```\n\n## Summary\n\nThe codebase has a **moderate security risk score of 42/100**. The primary concerns are:\n\n1. **Admin Token Security** — Token is logged in plaintext and uses non-constant-time comparison\n2. **Configuration Parsing** — OIDC config uses JSON5 which could allow injection if misconfigured  \n3. **Input Handling** — URLs and API inputs lack explicit validation\n\nThe code generally follows security best practices (secure cookies, env-based secrets, Zod validation) but has gaps in token handling and input validation. Most issues can be fixed with targeted improvements to the token management and validation logic.\n",
+  "parsedOutput": {
+    "vulnerabilities": [
+      {
+        "severity": "medium",
+        "file": ".svelte-kit/adapter-node/chunks/adminToken.js",
+        "line": 33,
+        "description": "Admin token exposed in console logs. The token is printed to stdout via logger.info() when displayToken() is called, making it visible in server logs and potentially exposed to log aggregation services or anyone with access to server logs."
+      },
+      {
+        "severity": "medium",
+        "file": ".svelte-kit/adapter-node/chunks/adminToken.js",
+        "line": 23,
+        "description": "Timing attack vulnerability in token comparison. Uses simple === string comparison instead of constant-time comparison. An attacker could measure response times to guess the token byte-by-byte."
+      },
+      {
+        "severity": "medium",
+        "file": ".svelte-kit/adapter-node/chunks/auth.js",
+        "line": 26,
+        "description": "Unsafe JSON5 parsing of OIDC configuration. Uses JSON5.parse() which allows comments, trailing commas, and other non-standard JSON. If OPENID_CONFIG comes from user input or untrusted sources, could lead to unexpected behavior."
+      },
+      {
+        "severity": "low",
+        "file": ".svelte-kit/adapter-node/chunks/APIClient.js",
+        "line": 7,
+        "description": "No URL validation before URL construction. The url parameter is passed directly to 'new URL()' without validation. Malformed URLs could throw uncaught exceptions. Consider validating URLs before use."
+      },
+      {
+        "severity": "low",
+        "file": ".svelte-kit/adapter-node/chunks/auth.js",
+        "line": 50,
+        "description": "CLIENT_SECRET may be logged during configuration parsing. If Zod validation errors occur, the CLIENT_SECRET could potentially be included in error messages."
+      },
+      {
+        "severity": "low",
+        "file": ".svelte-kit/adapter-node/chunks/auth.js",
+        "line": 61,
+        "description": "Session cookie secure flag depends on ALLOW_INSECURE_COOKIES config. While there's a default to true, if config is misconfigured, cookies could be transmitted over HTTP."
+      }
+    ],
+    "riskScore": 42,
+    "recommendations": [
+      "Use crypto.timingSafeEqual() for token comparison in adminTokenManager.js to prevent timing attacks",
+      "Remove token logging from console output. If needed for debugging, ensure logs don't persist or are properly rotated/secured",
+      "Validate URLs in APIClient.js before passing to new URL() constructor. Use URL.canParse() (available in Node 18.17+) or wrap in try-catch",
+      "Use standard JSON.parse() instead of JSON5.parse() for OIDC config, or validate the parsed config against a strict schema",
+      "Ensure OPENID_CONFIG is loaded from secure sources (environment variables or secure config files) and never from user input",
+      "Add sensitive field redaction in logging to prevent CLIENT_SECRET exposure in error logs",
+      "Audit and enforce that ALLOW_INSECURE_COOKIES is never 'true' in production. Consider removing this option entirely",
+      "Implement rate limiting on token validation endpoints to prevent brute force attacks on admin tokens",
+      "Add security headers (CSP, X-Frame-Options) to prevent XSS and clickjacking",
+      "Review OIDC token validation logic (file truncated) - ensure ID tokens are properly validated including signature verification",
+      "Use secure random generation for all tokens (already using uuid v4, which is good)",
+      "Ensure MongoDB queries use parameterized queries/object notation (appears to be done correctly, but audit NoSQL injection prevention)"
+    ]
+  },
+  "durationMs": 30452,
+  "model": "haiku",
+  "sandboxMode": "strict",
+  "workerType": "audit",
+  "timestamp": "2026-05-05T02:50:42.274Z",
+  "executionId": "audit_1777949411822_juxau0"
+}