Skip to content

Security Hardening#53

Merged
ardelato merged 7 commits into
hermesfrom
fix/security-hardening
Apr 27, 2026
Merged

Security Hardening#53
ardelato merged 7 commits into
hermesfrom
fix/security-hardening

Conversation

@ardelato
Copy link
Copy Markdown
Collaborator

@ardelato ardelato commented Apr 27, 2026

Description

This PR addresses the remaining High and Medium severity issues from the security audit report and resolves all unresolved review comments from PR #51.

Deferred: M3 (quill-paste-smart) requires Quill 2.x which is a breaking change — risk is mitigated by server-side Purify mutators.

QA Notes:

We will need to test this on the test cluster.

ardelato added 7 commits April 27, 2026 13:55
@ardelato
fix(model): add Purify mutator to Alert model
f006860 
Alert HTML content was stored without sanitization, enabling stored
XSS if an attacker could create alerts (e.g. via privilege escalation).
The setHtmlAttribute mutator ensures all HTML is cleaned through
HTMLPurifier before persistence, matching the pattern already
established on Group, Party, User, and Network models.
@ardelato
fix(vue): add DOMPurify sanitization to AlertBanner
14b57c9 
AlertBanner rendered alert HTML via v-html without client-side
sanitization. This adds DOMPurify as a defense-in-depth layer
alongside the server-side Purify mutator on the Alert model,
matching the pattern used in ReadMore.vue.
@ardelato
refactor(vue): extract shared escapeHtml helper
56649e0 
The escapeHtml function was duplicated verbatim in GroupActions.vue
and GroupPage.vue. This extracts it into a shared helper module so
there is one canonical implementation for HTML-escaping user data
in Vue template interpolations.
@ardelato
fix(vue): sanitize ReadMore text prop and fix reference bug
520cf88 
The text prop path rendered via v-html without DOMPurify sanitization.
While no current callers use this path, it was an unsanitized sink that
could introduce XSS if a future caller wired up the text prop. Also
fixed a ReferenceError where text.length and maxChars were missing
their this. prefix in the needsTruncating computed property.
@ardelato
fix(controller): escape user emails in flash messages
023d547 
The invite flows in GroupController and PartyController interpolated
user-supplied email addresses into translation strings rendered via
{!! !!} without escaping. This wraps them with e() to prevent XSS
through crafted email-like input.
@ardelato
fix(config): add tel URI scheme to HTMLPurifier allowlist
c95ef22 
Mobile click-to-call links (tel: URIs) are a reasonable thing to
allow in sanitized descriptions and carry no XSS risk unlike
javascript: or data: URIs.
@ardelato
fix(deps): update axios to fix known CVEs
84dbe41 
Bumps axios from ^1.6.4 to ^1.15.0 to exit the vulnerable range
(1.0.0-1.14.0) which includes SSRF, credential leakage, and CSRF
vulnerabilities. This is the minimum version bump needed to resolve
the CVEs without a major version change.
djmetzle
djmetzle approved these changes Apr 27, 2026
View reviewed changes
Copy link
Copy Markdown

@djmetzle djmetzle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM CR 🧽

@ardelato
Copy link
Copy Markdown
Collaborator Author

ardelato commented Apr 27, 2026

QA 👍 Things seem to be fixed.

@ardelato ardelato merged commit 9e19a37 into hermes Apr 27, 2026
@ardelato ardelato deleted the fix/security-hardening branch April 27, 2026 21:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@djmetzle djmetzle djmetzle approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ardelato @djmetzle