Skip to content

fix(security): close comment IDOR, unify lockout policy, extend CSRF …#101

Merged
4Keyy merged 1 commit into
mainfrom
claude/security-audit-frmf00
Jun 11, 2026
Merged

fix(security): close comment IDOR, unify lockout policy, extend CSRF …#101
4Keyy merged 1 commit into
mainfrom
claude/security-audit-frmf00

Conversation

@4Keyy

@4Keyy 4Keyy commented Jun 11, 2026

Copy link
Copy Markdown
Owner

…and harden presence hub

Audit-driven fixes after a full-project security review:

  • Collaboration: UpdateComment now authorizes against live task access (ITaskAccessService) like Add/Delete/Get, closing an IDOR where a former collaborator could still edit a comment after losing task access.
  • Auth: LockAccount is parameterized and both the failed-attempt threshold and lockout duration are driven from SecurityConstants.SecurityPolicies, removing the hardcoded 15m/>=5 values that diverged from the documented 30m/5 policy.
  • Todo/Category/Messaging/Collaboration: enforce the double-submit CSRF check (gRPC exempt) to match the documented security model; Realtime excluded due to SignalR negotiate.
  • Realtime: PresenceHub.UpdateStatus validates status against an allow-list to stop arbitrary/unbounded broadcast payloads.

Adds docs/security-audit-2026-06.md recording findings, fixes, and the items assessed as acceptable or false positives. Updates affected unit tests and adds a regression test for the comment access check.

What does this PR do?

Type of change

  • Bug fix
  • New feature
  • Refactor / code quality
  • Documentation
  • CI / infrastructure
  • Other:

Related issue

Closes #

Testing

  • Backend unit tests pass (dotnet test Planora.sln)
  • Frontend lint/type-check pass (npm run lint && npm run type-check)
  • Frontend tests pass (npm run test)
  • Manually tested the affected flow end-to-end

Checklist

  • No secrets, personal data, or local-only config committed
  • .env.example updated if new env vars were added
  • Documentation updated if behavior changed
  • CHANGELOG.md updated under ## Unreleased

…and harden presence hub

Audit-driven fixes after a full-project security review:

- Collaboration: UpdateComment now authorizes against live task access
  (ITaskAccessService) like Add/Delete/Get, closing an IDOR where a former
  collaborator could still edit a comment after losing task access.
- Auth: LockAccount is parameterized and both the failed-attempt threshold and
  lockout duration are driven from SecurityConstants.SecurityPolicies, removing
  the hardcoded 15m/>=5 values that diverged from the documented 30m/5 policy.
- Todo/Category/Messaging/Collaboration: enforce the double-submit CSRF check
  (gRPC exempt) to match the documented security model; Realtime excluded due
  to SignalR negotiate.
- Realtime: PresenceHub.UpdateStatus validates status against an allow-list to
  stop arbitrary/unbounded broadcast payloads.

Adds docs/security-audit-2026-06.md recording findings, fixes, and the items
assessed as acceptable or false positives. Updates affected unit tests and adds
a regression test for the comment access check.
@4Keyy 4Keyy requested a review from vichca June 11, 2026 18:14

@4Keyy 4Keyy left a comment

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

.

@4Keyy 4Keyy merged commit fb907f9 into main Jun 11, 2026
9 of 21 checks passed
@4Keyy 4Keyy deleted the claude/security-audit-frmf00 branch June 11, 2026 18:15
4Keyy added a commit that referenced this pull request Jun 13, 2026
…t client

PR #101 extended UseCsrfProtection() to the business services (Todo,
Category, Messaging, Collaboration), so TodoApi now rejects state-changing
requests without a matching X-CSRF-Token header + XSRF-TOKEN cookie. The
ErrorHandlingTests integration client posted neither, so every POST/PUT/
DELETE started returning 403 and 17 tests failed in CI.

The authenticated test client now attaches a matching CSRF header/cookie
pair (a real browser supplies both), so the requests pass through the
genuine CSRF middleware — which is still fully exercised — instead of
being rejected. All 78 ErrorHandlingTests pass again.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
4Keyy added a commit that referenced this pull request Jun 13, 2026
The CI 'Lint Markdown' (markdownlint-cli2) job was failing on: MD032
(blanks-around-lists) for the new 'Quote visibility' list in
docs/features.md, and MD022 (blanks-around-headings) for the four finding
headings in docs/security-audit-2026-06.md (added by #101). Added the
required surrounding blank lines. markdownlint-cli2 over the CI globs now
reports 0 errors.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants