Skip to content

security hygiene pass from audit

jedmund requested to merge jedmund/audit-security into main

Created by: jedmund

First slice of fixes from the recent codebase audit — the three critical/security items. Architecture, styling, and minor fixes will follow in separate branches.

Changes

  • Remove Redis URL log leakconsole.log(process.env.REDIS_URL) at boot was dumping the connection string (creds included) into production logs. Also deleted three leftover scratch files at repo root (test-db.ts, test-form-loading.js, SVG_ANALYSIS_REPORT.md).
  • Require ADMIN_SESSION_SECRET — dropped the 'dev-session-secret' fallback so the secret must be set in every environment. Also removed the GET handler from /admin/logout so a <img src> on another page can't CSRF you out.
  • Sanitize editor HTML — all {@html} output from renderEdraContent() now passes through isomorphic-dompurify. YouTube iframes and audio-player data attributes are still allowed; scripts / onerror / javascript: URLs are stripped.

Deploy notes

  • Railway already has ADMIN_SESSION_SECRET set — no env changes needed there.
  • Local dev now requires ADMIN_SESSION_SECRET in .env.local (already in .env.example).

Test plan

  • pnpm dev — admin login still works; confirm no REDIS_URL line in terminal at boot
  • GET /admin/logout returns 405, not a redirect that clears the cookie
  • POST /admin/logout still logs you out
  • Garden / album pages with normal content render unchanged
  • Inject <script> / onerror payload via editor JSON → confirm stripped on render
  • YouTube embed still renders

Merge request reports

Loading