npm - ruflo - Versions diffs - 3.6.27 → 3.6.29 - Mend

ruflo 3.6.27 → 3.6.29

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (31) hide show

package/src/ruvocal/.claude-flow/logs/headless/audit_1777950042278_jvj5xq_result.log ADDED Viewed

@@ -0,0 +1,93 @@
+[2026-05-05T03:01:38.241Z] RESULT
+============================================================
+{
+  "success": true,
+  "output": "# Security Vulnerability Analysis Report\n\n```json\n{\n  \"vulnerabilities\": [\n    {\n      \"severity\": \"high\",\n      \"file\": \"adminToken.js\",\n      \"line\": 5,\n      \"description\": \"Admin token generated as UUID fallback and stored in plaintext. Tokens are auto-generated if not configured, reducing entropy. Token reset after validation creates timing window for race conditions.\"\n    },\n    {\n      \"severity\": \"high\",\n      \"file\": \"adminToken.js\",\n      \"line\": 17,\n      \"description\": \"No rate limiting on token validation attempts. Attackers can brute-force the random UUID token without consequence.\"\n    },\n    {\n      \"severity\": \"high\",\n      \"file\": \"apiToken.js\",\n      \"line\": 6,\n      \"description\": \"API keys (OPENAI_API_KEY, HF_TOKEN) exposed directly in plaintext. If this function's output is logged, cached, or exposed via error messages, credentials are compromised.\"\n    },\n    {\n      \"severity\": \"high\",\n      \"file\": \"auth.js\",\n      \"line\": 88,\n      \"description\": \"OAuth tokens stored in plaintext in MongoDB. If database is compromised, all user tokens are exposed without encryption. No evidence of token encryption at rest.\"\n    },\n    {\n      \"severity\": \"medium\",\n      \"file\": \"auth.js\",\n      \"line\": 43,\n      \"description\": \"OPENID_CLIENT_SECRET and OPENID_CLIENT_ID stored in plaintext configuration. Should use environment-specific secure vaults.\"\n    },\n    {\n      \"severity\": \"medium\",\n      \"file\": \"auth.js\",\n      \"line\": 48,\n      \"description\": \"Insecure cookie configuration allowed via ALLOW_INSECURE_COOKIES flag. Permits SameSite=lax and Secure=false, vulnerable to CSRF and man-in-the-middle attacks.\"\n    },\n    {\n      \"severity\": \"medium\",\n      \"file\": \"APIClient.js\",\n      \"line\": 25,\n      \"description\": \"Error responses returned directly to client without sanitization. Could expose sensitive backend information, database errors, or internal paths.\"\n    },\n    {\n      \"severity\": \"medium\",\n      \"file\": \"APIClient.js\",\n      \"line\": 17,\n      \"description\": \"No request timeout configured. Allows slowloris and resource exhaustion attacks. Missing Content-Type validation for responses.\"\n    },\n    {\n      \"severity\": \"medium\",\n      \"file\": \"adminToken.js\",\n      \"line\": 27,\n      \"description\": \"Admin token displayed in console logs (logger.info). Logs may be persisted, indexed, or exposed in error tracking systems.\"\n    },\n    {\n      \"severity\": \"low\",\n      \"file\": \"PublicConfig.svelte.js\",\n      \"line\": 22,\n      \"description\": \"Public configuration accessible via Proxy without input validation. Ensure no secrets are included in PUBLIC_* environment variables.\"\n    }\n  ],\n  \"riskScore\": 72,\n  \"recommendations\": [\n    \"CRITICAL: Implement token hashing using bcrypt/argon2. Never store plaintext API keys, OAuth tokens, or admin tokens. Hash admin tokens and store hash in database.\",\n    \"CRITICAL: Move OPENID_CLIENT_SECRET and API_KEY access to server-only code. Implement secure key management (HashiCorp Vault, AWS Secrets Manager, or similar).\",\n    \"CRITICAL: Enable HTTPS-only cookies: set Secure=true and SameSite=strict always. Remove ALLOW_INSECURE_COOKIES flag or restrict to development only.\",\n    \"HIGH: Implement rate limiting on token validation endpoints (adminToken.checkToken). Use exponential backoff and temporary account lockouts after N failed attempts.\",\n    \"HIGH: Encrypt sensitive data at rest in MongoDB using field-level encryption. Use AES-256-GCM for tokens and credentials.\",\n    \"HIGH: Add CSRF token validation to all state-changing requests (POST, PATCH, DELETE). Validate Origin and Referer headers.\",\n    \"MEDIUM: Sanitize error responses before sending to client. Return generic messages (e.g., 'Authentication failed') instead of specific errors ('Invalid token' or 'User not found').\",\n    \"MEDIUM: Add request timeout to fetch calls: `signal: AbortSignal.timeout(10000)` in APIClient.js. Prevent resource exhaustion.\",\n    \"MEDIUM: Implement Content Security Policy headers to restrict SVG execution and prevent XSS via embedded scripts in SVG icons.\",\n    \"MEDIUM: Add audit logging for sensitive operations (admin logins, token refreshes). Log to immutable append-only storage (syslog, CloudWatch, etc.).\",\n    \"MEDIUM: Implement automatic session timeout and invalidation for expired tokens. Don't allow indefinite token refresh cycles.\",\n    \"LOW: Use HTTP-only cookies for session IDs. Prevent JavaScript access via `httpOnly: true` (already implemented, but verify it's consistent).\",\n    \"LOW: Validate all OpenID configuration inputs (CLIENT_ID, PROVIDER_URL). Prevent SSRF and config injection attacks.\",\n    \"LOW: Add security headers: X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Strict-Transport-Security, X-XSS-Protection.\"\n  ]\n}\n```\n\n## Summary\n\n**Risk Level**: HIGH (72/100)\n\nThe codebase has **critical authentication and token management vulnerabilities**:\n\n1. **Plaintext Token Storage** — Admin tokens, API keys, and OAuth tokens stored without encryption\n2. **No Rate Limiting** — Admin token validation can be brute-forced\n3. **Credentials in Config** — OpenID secrets and API keys in environment variables without secure vaults\n4. **Insecure Cookies** — Allow non-HTTPS, non-strict SameSite mode\n5. **Information Disclosure** — Error messages expose backend details\n\n**Immediate Actions Required**:\n- Hash all tokens (bcrypt/argon2)\n- Implement rate limiting on authentication endpoints\n- Use HTTPS-only, SameSite=strict cookies\n- Move secrets to secure vaults\n- Encrypt tokens in MongoDB\n",
+  "parsedOutput": {
+    "vulnerabilities": [
+      {
+        "severity": "high",
+        "file": "adminToken.js",
+        "line": 5,
+        "description": "Admin token generated as UUID fallback and stored in plaintext. Tokens are auto-generated if not configured, reducing entropy. Token reset after validation creates timing window for race conditions."
+      },
+      {
+        "severity": "high",
+        "file": "adminToken.js",
+        "line": 17,
+        "description": "No rate limiting on token validation attempts. Attackers can brute-force the random UUID token without consequence."
+      },
+      {
+        "severity": "high",
+        "file": "apiToken.js",
+        "line": 6,
+        "description": "API keys (OPENAI_API_KEY, HF_TOKEN) exposed directly in plaintext. If this function's output is logged, cached, or exposed via error messages, credentials are compromised."
+      },
+      {
+        "severity": "high",
+        "file": "auth.js",
+        "line": 88,
+        "description": "OAuth tokens stored in plaintext in MongoDB. If database is compromised, all user tokens are exposed without encryption. No evidence of token encryption at rest."
+      },
+      {
+        "severity": "medium",
+        "file": "auth.js",
+        "line": 43,
+        "description": "OPENID_CLIENT_SECRET and OPENID_CLIENT_ID stored in plaintext configuration. Should use environment-specific secure vaults."
+      },
+      {
+        "severity": "medium",
+        "file": "auth.js",
+        "line": 48,
+        "description": "Insecure cookie configuration allowed via ALLOW_INSECURE_COOKIES flag. Permits SameSite=lax and Secure=false, vulnerable to CSRF and man-in-the-middle attacks."
+      },
+      {
+        "severity": "medium",
+        "file": "APIClient.js",
+        "line": 25,
+        "description": "Error responses returned directly to client without sanitization. Could expose sensitive backend information, database errors, or internal paths."
+      },
+      {
+        "severity": "medium",
+        "file": "APIClient.js",
+        "line": 17,
+        "description": "No request timeout configured. Allows slowloris and resource exhaustion attacks. Missing Content-Type validation for responses."
+      },
+      {
+        "severity": "medium",
+        "file": "adminToken.js",
+        "line": 27,
+        "description": "Admin token displayed in console logs (logger.info). Logs may be persisted, indexed, or exposed in error tracking systems."
+      },
+      {
+        "severity": "low",
+        "file": "PublicConfig.svelte.js",
+        "line": 22,
+        "description": "Public configuration accessible via Proxy without input validation. Ensure no secrets are included in PUBLIC_* environment variables."
+      }
+    ],
+    "riskScore": 72,
+    "recommendations": [
+      "CRITICAL: Implement token hashing using bcrypt/argon2. Never store plaintext API keys, OAuth tokens, or admin tokens. Hash admin tokens and store hash in database.",
+      "CRITICAL: Move OPENID_CLIENT_SECRET and API_KEY access to server-only code. Implement secure key management (HashiCorp Vault, AWS Secrets Manager, or similar).",
+      "CRITICAL: Enable HTTPS-only cookies: set Secure=true and SameSite=strict always. Remove ALLOW_INSECURE_COOKIES flag or restrict to development only.",
+      "HIGH: Implement rate limiting on token validation endpoints (adminToken.checkToken). Use exponential backoff and temporary account lockouts after N failed attempts.",
+      "HIGH: Encrypt sensitive data at rest in MongoDB using field-level encryption. Use AES-256-GCM for tokens and credentials.",
+      "HIGH: Add CSRF token validation to all state-changing requests (POST, PATCH, DELETE). Validate Origin and Referer headers.",
+      "MEDIUM: Sanitize error responses before sending to client. Return generic messages (e.g., 'Authentication failed') instead of specific errors ('Invalid token' or 'User not found').",
+      "MEDIUM: Add request timeout to fetch calls: `signal: AbortSignal.timeout(10000)` in APIClient.js. Prevent resource exhaustion.",
+      "MEDIUM: Implement Content Security Policy headers to restrict SVG execution and prevent XSS via embedded scripts in SVG icons.",
+      "MEDIUM: Add audit logging for sensitive operations (admin logins, token refreshes). Log to immutable append-only storage (syslog, CloudWatch, etc.).",
+      "MEDIUM: Implement automatic session timeout and invalidation for expired tokens. Don't allow indefinite token refresh cycles.",
+      "LOW: Use HTTP-only cookies for session IDs. Prevent JavaScript access via `httpOnly: true` (already implemented, but verify it's consistent).",
+      "LOW: Validate all OpenID configuration inputs (CLIENT_ID, PROVIDER_URL). Prevent SSRF and config injection attacks.",
+      "LOW: Add security headers: X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Strict-Transport-Security, X-XSS-Protection."
+    ]
+  },
+  "durationMs": 55963,
+  "model": "haiku",
+  "sandboxMode": "strict",
+  "workerType": "audit",
+  "timestamp": "2026-05-05T03:01:38.241Z",
+  "executionId": "audit_1777950042278_jvj5xq"
+}