BOHA
|
519edce373
|
fix: 2026-06-09 full-codebase audit hardening
Validation: shared NaN-guarded Zod coercion helpers in schemas/common.ts replace
the raw number|string transform idiom across every schema (the root-cause NaN bug
class); emailOrEmpty + lenient isoDateString/timeString.
Security: roles privilege-escalation closed; refresh-token family revocation on
reuse; TOTP uses config params; read endpoints permission-guarded; received-invoices
gross VAT on all paths; orders-pdf custom-items authz.
Concurrency: $queryRaw SELECT...FOR UPDATE locks in ascending-id order (warehouse
confirm/cancel, attendance lockUserRow); uniqueness checks moved into create
transactions (TOCTOU -> 409); deterministic id tiebreak on second-precision
timestamp ordering (plan resolveCell/resolveGrid, warehouse FIFO).
Frontend: Rules-of-Hooks fixed across ~14 pages + PlanCellModal; UTC-date persisted
fields; dashboard invalidation gaps; stale-closure confirm bugs.
Tooling/tests: ESLint flat config (react-hooks/rules-of-hooks = error) + Prettier;
tsconfig.test.json so tsc -b type-checks the tests; removed 3 dead deps; npm audit
fix (8 -> 3). Suite 195 -> 247 (happy-path auth, FIFO oldest-first, flakiness fixes),
isolated on app_test via .env.test with a hard-throw setup guard.
Gates: tsc 0 | build 0 | vitest 247/247 | eslint 0 errors.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
2026-06-09 06:45:26 +02:00 |
|
BOHA
|
4f4b12f039
|
security: fix all Medium findings from FLAWS_REPORT audit
- Auth: TOTP replay protection with counter tracking, constant-time
backup code comparison, atomic lockout increment, per-token logout
- Invoices/PDFs: net-based VAT calculation, dangerous URL scheme
stripping in cleanQuillHtml, orders-pdf error handling
- Orders: reject item changes on status transition, cascading
delete cleanup, take:1 with orderBy
- Projects: atomic rename collision handling, MIME/extension
validation, empty customer name rejection
- Attendance: Czech public holiday awareness in frontend fund
calculation, leave_hours 0 handling, invalid date NaN guard,
bounded per-month queries in workfund
- Users/Admin: profile audit logging + password validation, session
revocation guard, session ID validation, dashboard DB aggregation,
soft-deleted record protection in scope templates
- Frontend: FormField label linkage, Pagination ARIA, error
handling in OrderConfirmationModal, 401 propagation, GPS emoji
hidden from screen readers, table sort state fix, geolocation
race/abort cleanup, Leaflet popup DOM safety, Vehicles toggleActive
minimal body, CompanySettings ref mutation fix, OfferDetail unlock
abort, AttendanceBalances combined fetches
- Utils: env validation, Puppeteer concurrency mutex, invoice alert
cron cleanup on shutdown, body limit alignment, TOTP error logging,
trustProxy from env, symlink rejection, rate cache Map usage
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
2026-04-24 08:24:14 +02:00 |
|