Part of #3848 Β· severity: low (bundle)
Findings
- Login timing oracle β
modules/auth/services/auth.service.js:95-110: an unknown email throws before any bcrypt work while an existing user always runs comparePassword (~100ms), giving a measurable enumeration oracle. The forgot-password path already does a dummy compare against a sentinel hash β signin doesn't. Fix: run a dummy bcrypt.compare against a module-level sentinel hash on the unknown-user branch.
- Unauthenticated
sharp amplification β modules/uploads/controllers/uploads.controller.js:99: a public image route passes client-supplied resize dimensions to sharp with no clamp β CPU/memory amplification. Fix: clamp width/height to a safe max (e.g. β€4096), reject oversized/non-numeric, and attach a dedicated rate limiter.
- Dependabot over-broad auto-merge β
.github/workflows/dependabot.yml:24: auto-approves/merges minor (not just patch) updates. Fix: gate auto-merge on version-update:semver-patch only.
- Dev tooling in production
dependencies β package.json: test/dev packages declared under dependencies inflate the prod surface and pollute npm audit --omit=dev. Fix: relocate to devDependencies.
- Residual audit advisories β the remaining ~15
npm audit advisories are dev-only chains + 2 prod-tree packages whose vulnerable paths are not attacker-reachable here. Action: document (dated note), revisit when an upgrade path opens β no code change.
Created via /dev:issue
Part of #3848 Β· severity: low (bundle)
Findings
modules/auth/services/auth.service.js:95-110: an unknown email throws before any bcrypt work while an existing user always runscomparePassword(~100ms), giving a measurable enumeration oracle. The forgot-password path already does a dummy compare against a sentinel hash β signin doesn't. Fix: run a dummybcrypt.compareagainst a module-level sentinel hash on the unknown-user branch.sharpamplification βmodules/uploads/controllers/uploads.controller.js:99: a public image route passes client-supplied resize dimensions tosharpwith no clamp β CPU/memory amplification. Fix: clampwidth/heightto a safe max (e.g. β€4096), reject oversized/non-numeric, and attach a dedicated rate limiter..github/workflows/dependabot.yml:24: auto-approves/merges minor (not just patch) updates. Fix: gate auto-merge onversion-update:semver-patchonly.dependenciesβpackage.json: test/dev packages declared underdependenciesinflate the prod surface and pollutenpm audit --omit=dev. Fix: relocate todevDependencies.npm auditadvisories are dev-only chains + 2 prod-tree packages whose vulnerable paths are not attacker-reachable here. Action: document (dated note), revisit when an upgrade path opens β no code change.Created via /dev:issue