security: fix all 20 CodeQL code scanning alerts#104
Merged
NeuroKoder3 merged 6 commits intomainfrom May 11, 2026
Merged
Conversation
- CORS: replace permissive origin:true with configurable allowlist - Error handling: suppress internal error messages from 500 responses - TLS: enforce rejectUnauthorized for PG SSL require mode - Auth: prevent open redirect via RelayState; move tokens to httpOnly cookies - SMART: remove user_id auth bypass; strip sensitive fields from introspect - SSRF: add DNS-based private IP blocking for subscription delivery and JWKS - SSRF: validate endpoint URLs in pushToEHR with private range blocking - Headers: sanitize outbound subscription headers; block injection vectors - ReDoS: guard dynamic RegExp in vendor profiles and FHIR validation rules - Info disclosure: genericize HL7 ACK errors, auth middleware, integrations - Timing: use constant-time comparison for webhook secret verification - Randomness: replace Math.random with crypto.randomUUID/getRandomValues - XSS: sanitize document_urls href with protocol allowlist (http/https) - CSP: tighten script-src, add frame-ancestors/base-uri/form-action - Cookies: add SameSite=Lax and Secure to sidebar cookie - API client: validate base URL scheme; reject non-https in production - Logging: prevent raw request body injection in CDS feedback logs - CodeQL CI: remove continue-on-error, add security-extended queries Co-authored-by: Cursor <cursoragent@cursor.com>
- Disabling certificate validation: set rejectUnauthorized=true in SIEM TLS (siemForwarder.cjs) - Polynomial ReDoS: replace backtracking regex in Bearer/Basic header parsing with string ops (auth.js, smart.js) - Missing rate limiting: add per-route rateLimit config to all public endpoints (auth, smart, health, cds) - Biased cryptographic random: use rejection sampling in MFA backup code generation (mfa.cjs) - Clear-text logging: redact patient PII in epic-sandbox-test, mask org ID in init.cjs, sanitize error objects in smoke-test - Incomplete string escaping: escape backslashes before quotes in RFC5424 syslog formatter (siemForwarder.cjs) - Server-side URL redirect: already fixed in prior commit via sanitizeRedirectPath (auth.js) Co-authored-by: Cursor <cursoragent@cursor.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
…f sensitive information' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
…f sensitive information' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
…rect' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves all 20 open CodeQL code scanning alerts:
Critical Fixes:
ejectUnauthorized: true\ in SIEM TLS connections (\siemForwarder.cjs)
Rate Limiting (7 alerts):
ateLimit\ config to all public endpoints: login, MFA verify, refresh, SAML, OIDC, OAuth2 authorize/token/introspect/revoke, health/ready, SMART discovery, CDS services
Clear-text Logging (7 alerts):
Other:
Additional hardening (prior commit):
Test plan
pm run test:security\ and
pm run test:business\
Made with Cursor