steve/check-printing
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix remaining critical, medium, and low security issues

Browse Source 
IDOR (critical): GET /api/checks/:id and GET /api/deposits/:id now
verify the requesting user has access to the record's account before
returning data. Previously any authenticated user could fetch any
record by ID across accounts.

Printed check guard (critical): PUT and DELETE on checks now return
409 if the check has already been printed, enforcing the business rule
that printed checks are immutable. Previously the printed flag was
only enforced in the frontend.

PDF DoS (medium): checkIds array capped at 300 (100 pages × 3 per page).

QBO import DoS (medium): records array capped at 1000 per confirm call.

PDF error detail (medium): internal err.message no longer returned to
the client on PDF generation failure.

SESSION_SECRET (low): removed NODE_ENV=production condition — the
server now exits immediately on startup if SESSION_SECRET is unset
regardless of environment. Dev script updated to load .env via
node --env-file=.env so developers set it once in a local .env file.

Password hints (low): updated all three UI labels from "min 8 chars"
to "min 10 chars, include a digit or symbol" to match the actual
server-side validation.
This commit is contained in:
Steve Dogiakos
2026-03-20 13:28:18 -06:00
parent bd3e66cd44
commit 444e24a191
7 changed files with 23 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
public/index.html
+3 -3
View File
@@ -20,7 +20,7 @@
<input type="text" id="setup-username" autocomplete="username" autocapitalize="none">
</div>
<div class="form-group">
<label for="setup-password">Password <span class="field-hint">(min 8 characters)</span></label>
<label for="setup-password">Password <span class="field-hint">(min 10 characters, include a digit or symbol)</span></label>
<input type="password" id="setup-password" autocomplete="new-password">
</div>
<div class="form-group">
@@ -621,7 +621,7 @@
<input type="text" id="uf-username" autocapitalize="none">
</div>
<div class="form-group required">
<label for="uf-password">Password <span class="field-hint" id="uf-password-hint">(min 8 chars)</span></label>
<label for="uf-password">Password <span class="field-hint" id="uf-password-hint">(min 10 chars, include a digit or symbol)</span></label>
<input type="password" id="uf-password" autocomplete="new-password">
</div>
<div class="form-group required">
@@ -652,7 +652,7 @@
<input type="password" id="cp-current" autocomplete="current-password">
</div>
<div class="form-group">
<label for="cp-new">New Password <span class="field-hint">(min 8 chars)</span></label>
<label for="cp-new">New Password <span class="field-hint">(min 10 chars, include a digit or symbol)</span></label>
<input type="password" id="cp-new" autocomplete="new-password">
</div>
<div class="form-group">