bigtux/lexmind
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
08bd4f039dee9ce23fc4d3de6a11b577887588ae
lexmind/SECURITY-AUDIT.md

213 lines
7.5 KiB
Markdown
Raw Blame History

# LexMind Security Audit Report
**Date:** 2026-02-01
**Auditor:** Automated Security Audit
**Status:** ✅ COMPLETED
---
## Executive Summary
Comprehensive security audit of the LexMind application (Next.js 16 + Prisma + PostgreSQL + NextAuth + Stripe). Found and fixed **12 vulnerabilities** across 7 categories. Zero npm vulnerabilities remain.
---
## 1. NPM Vulnerabilities
**Status:** ✅ FIXED
| Before | After |
|--------|-------|
| 21 high severity | 0 vulnerabilities |
- **Root cause:** `fast-xml-parser` 5.2.5 (via AWS SDK) had RangeError DoS bug
- **Fix:** Added npm override for `fast-xml-parser@5.3.4` in package.json
---
## 2. SQL Injection / Prisma
**Status:** ✅ CLEAN
- No `$queryRaw` or `$executeRaw` usage found
- All database access uses Prisma's parameterized queries
- No raw SQL anywhere in the codebase
---
## 3. XSS (Cross-Site Scripting)
**Status:** ✅ CLEAN
- No `dangerouslySetInnerHTML` or `innerHTML` usage found
- React's default escaping protects against XSS
- Added Content-Security-Policy header (see Section 9)
---
## 4. CSRF Protection
**Status:** ✅ VERIFIED
- NextAuth CSRF tokens working correctly
- Cookies use `__Host-` prefix with `HttpOnly; Secure; SameSite=Lax`
- All mutating API routes require authenticated session
---
## 5. Authentication & Authorization
**Status:** ✅ FIXED (2 critical issues)
### 🔴 CRITICAL: Unauthenticated Checkout Route
- **File:** `/api/checkout/route.ts`
- **Issue:** No `getServerSession` check — anyone could create Stripe checkout sessions
- **Fix:** Added authentication check, uses session email instead of user-provided email
### 🔴 CRITICAL: Unauthenticated DOCX Export Route
- **File:** `/api/export/docx/route.ts`
- **Issue:** No authentication — anyone could generate DOCX documents
- **Fix:** Added `getServerSession` check
### Auth Coverage (all routes verified):
| Route | Auth | IDOR Protected |
|-------|------|----------------|
| /api/admin/stats | ✅ ADMIN check | N/A |
| /api/analise-processo | ✅ session.user.id | ✅ userId filter |
| /api/analise-processo/[id] | ✅ session.user.id | ✅ userId filter |
| /api/auditoria | ✅ session.user.id | ✅ userId filter |
| /api/auditoria/[id] | ✅ session.user.id | ✅ userId filter |
| /api/chat | ✅ session.user.id | ✅ userId filter |
| /api/chat/[chatId] | ✅ session.user.id | ✅ userId filter |
| /api/checkout | ✅ **FIXED** | N/A |
| /api/documents | ✅ session.user.id | ✅ userId filter |
| /api/documents/[id] | ✅ session.user.id | ✅ userId filter |
| /api/documents/generate | ✅ session.user.id | N/A |
| /api/export/docx | ✅ **FIXED** | N/A |
| /api/jurisprudencia | ✅ session.user.id | N/A (public data) |
| /api/jurisprudencia/search | ✅ session.user.id | N/A (public data) |
| /api/keys | ✅ session.user.id | ✅ userId filter |
| /api/keys/[id] | ✅ session.user.id | ✅ userId filter |
| /api/prazos | ✅ session.user.id | ✅ userId filter |
| /api/prazos/[id] | ✅ session.user.id | ✅ userId filter |
| /api/register | N/A (public) | N/A |
| /api/stripe/checkout | ✅ session.user | ✅ |
| /api/stripe/portal | ✅ session.user | ✅ |
| /api/stripe/webhook | N/A (Stripe sig) | ✅ signature verified |
| /api/templates | ✅ session.user.id | ✅ userId filter |
| /api/uploads | ✅ session.user.id | ✅ userId filter |
| /api/uploads/[id] | ✅ session.user.id | ✅ userId filter |
---
## 6. Rate Limiting
**Status:** ✅ VERIFIED
Nginx rate limiting active:
- Auth routes: 5 req/min (`zone=auth`)
- API routes: 20 req/sec (`zone=api`)
- General: 30 req/sec (`zone=general`)
- Connection limit: 20 per IP (`conn_limit`)
- Scanner/bot blocking via User-Agent filter
---
## 7. Input Validation
**Status:** ✅ FIXED (5 improvements)
- **Created:** `src/lib/validate.ts` with sanitization utilities
- **Register route:** Added input length limits for all fields
- **Chat route:** Added 10,000 char message limit
- **Auditoria route:** Added title (500) and content (100,000) limits
- **Prazos route:** Added title (500) and description (5,000) limits
- **Pagination:** Bounded page/limit params in uploads and jurisprudencia routes
- **Uploads:** Added server-side file extension validation (defense in depth)
---
## 8. Sensitive Data Exposure
**Status:** ✅ FIXED
- **Created `.gitignore`** — `.env` was not being excluded (no `.gitignore` existed!)
- **Stripe error messages:** Stopped leaking `error.message` to client in checkout/portal routes
- **API responses:** Verified no password hashes or internal IDs are exposed
- **API keys:** Properly hashed (SHA-256), only shown once on creation, masked in listings
- **NEXT_PUBLIC vars:** Only publishable Stripe key and app URL (safe)
- **Error handling:** All routes return generic error messages, details logged server-side
---
## 9. Security Headers
**Status:** ✅ FIXED (2 new headers added)
### Headers now active:
| Header | Value | Status |
|--------|-------|--------|
| X-Frame-Options | SAMEORIGIN | ✅ existing |
| X-Content-Type-Options | nosniff | ✅ existing |
| X-XSS-Protection | 1; mode=block | ✅ existing |
| Referrer-Policy | strict-origin-when-cross-origin | ✅ existing |
| Strict-Transport-Security | max-age=31536000; includeSubDomains | ✅ existing |
| Content-Security-Policy | Full CSP policy | ✅ **ADDED** |
| Permissions-Policy | camera=(), microphone=(), geolocation=() | ✅ **ADDED** |
| server_tokens | off | ✅ existing |
---
## 10. Database Security
**Status:** ✅ VERIFIED
- PostgreSQL listens only on localhost (default, `listen_addresses = 'localhost'`)
- `pg_hba.conf` uses `scram-sha-256` for TCP connections
- Local connections use `peer` authentication
- No remote access configured
---
## 11. File Upload Security
**Status:** ✅ VERIFIED + IMPROVED
- MIME type whitelist: PDF, DOC, DOCX, TXT only
- **Added:** File extension validation (defense in depth)
- Max size: 50MB (enforced both in app and nginx `client_max_body_size`)
- Storage limits per plan (1GB-20GB)
- File paths sanitized via `buildKey()` — strips all special chars
- No path traversal possible (`../` becomes `___`)
- Files stored as `private` ACL on DigitalOcean Spaces
- Access via signed URLs (15 min expiry)
---
## 12. Session Security
**Status:** ✅ IMPROVED
- Cookies: `__Host-` prefix, `HttpOnly`, `Secure`, `SameSite=Lax`
- **Reduced session maxAge from 30 days to 7 days** (more appropriate for legal app)
- JWT strategy with strong NEXTAUTH_SECRET (44 chars, base64)
- CSRF token verified on all auth requests
---
## 13. Other Fixes
### Duplicate Webhook Route Removed
- **Deleted:** `/api/webhook/stripe/route.ts` (incomplete, only logged events, no DB updates)
- **Active:** `/api/stripe/webhook/route.ts` (fully functional with DB updates)
### Next.js Middleware Added
- **Created:** `src/middleware.ts` — adds security headers at application level as backup
---
## 14. Remaining Notes (Low Risk)
| Item | Risk | Notes |
|------|------|-------|
| `typescript: { ignoreBuildErrors: true }` in next.config | Low | Could hide type errors; recommend fixing eventually |
| AWS SDK DoS vuln was in XML parsing | Info | Fixed via override, but only exploitable if attacker controls S3 responses |
| File upload MIME check trusts client header | Low | Mitigated by extension whitelist + private storage |
| No email verification on registration | Medium | Users can register with unverified emails |
---
## Deployment Status
- ✅ All fixes applied
-`npm audit`: 0 vulnerabilities
- ✅ Build successful
- ✅ PM2 restarted
- ✅ Nginx reloaded with new headers
- ✅ Application verified working
Reference in New Issue View Git Blame Copy Permalink