43 lines
1.6 KiB
Markdown
43 lines
1.6 KiB
Markdown
# Security Analysis Report
|
|
|
|
Date: 2026-03-02
|
|
Repository: /Users/bedas/Developer/GitHub/dcm
|
|
Scope: backend FastAPI API and worker, frontend React app, Docker runtime configuration, and local `.env` posture.
|
|
|
|
## Executive Verdict
|
|
|
|
Current state is **not production ready**.
|
|
|
|
- Blocking code-level issues exist and should be fixed before production exposure.
|
|
- Additional user-dependent deployment risks are present in `.env` and runtime defaults. Per request, these are listed as MUST KNOW and not marked as blocking.
|
|
|
|
## Method and Coverage
|
|
|
|
Performed a read-only static review of:
|
|
|
|
- API auth, authorization, upload and file handling, routing, settings, and worker pipelines.
|
|
- Frontend auth token handling and preview rendering behavior.
|
|
- Docker and environment defaults affecting network and secret posture.
|
|
- Existing security-focused tests and basic frontend API tests.
|
|
|
|
## Blocking Security Issues (Code-Level)
|
|
|
|
### 3) Medium - Bearer token stored in browser sessionStorage
|
|
|
|
Impact:
|
|
|
|
- Any successful XSS on the frontend origin can steal bearer tokens and replay them.
|
|
|
|
Exploit path:
|
|
|
|
- Malicious script execution on app origin reads `sessionStorage` and exfiltrates `Authorization` token.
|
|
|
|
Evidence:
|
|
|
|
- Token persisted in sessionStorage and injected into `Authorization` header: `frontend/src/lib/api.ts:39-42`, `frontend/src/lib/api.ts:61-67`, `frontend/src/lib/api.ts:84-95`, `frontend/src/lib/api.ts:103-112`.
|
|
|
|
Remediation:
|
|
|
|
- Prefer HttpOnly Secure SameSite cookies for session auth, plus CSRF protection.
|
|
- If bearer-in-JS remains, enforce strict CSP, remove inline script execution, and add strong dependency hygiene.
|