Trek_CN/SECURITY.md

27 lines
731 B
Markdown
Raw Normal View History

2026-03-19 23:16:47 +08:00
# Security Policy
## Supported Versions
| Version | Supported |
|---|---|
| Latest | Yes |
| Older | No |
Only the latest version receives security updates. Please update to the latest release.
## Reporting a Vulnerability
If you discover a security vulnerability, please report it responsibly:
1. **Do not** open a public issue
security: login timing enumeration fix + dep CVE patches (v3.0.18) (#984) * fix(security): equalise login response timing to prevent user enumeration (CWE-208) Always run bcrypt.compareSync regardless of whether the email exists, using a module-scope DUMMY_PASSWORD_HASH for unknown/OIDC-only accounts. Also wraps the login handler in a 350ms minimum-latency pad (matching /forgot-password) as defence-in-depth against CPU jitter and future code-path drift. Fixes: CWE-203, CWE-208 — Observable Timing Discrepancy (CVSS 5.3 Medium) * chore(deps): patch hono/picomatch/ip-address/brace-expansion CVEs, bump to node:24-alpine Extends server/package.json overrides to pin hono >=4.12.16, picomatch >=4.0.4, brace-expansion >=2.0.3, ip-address >=10.1.1. Adds matching overrides to client/. Lockfiles regenerated to resolve: hono 4.12.18, ip-address 10.2.0, picomatch 4.0.4. Also bumps base image node:22-alpine -> node:24-alpine (reduces base image CVEs) and adds .github/workflows/security.yml to gate PRs on critical/high CVEs via Docker Scout. Addresses: CVE-2026-44456, CVE-2026-44455 (hono), CVE-2026-42338 (ip-address), CVE-2026-33671, CVE-2026-33672 (picomatch), CVE-2026-33750 (brace-expansion) * chore: update emails in security.md * ci(security): use docker/login-action for Scout auth instead of env vars * chore: regenerate lock files * chore: correct secret names * chore: pr perms write * fix(docker): remove package-lock.json from production image after npm ci Docker Scout reads package-lock.json as an SBOM source and reports all lockfile entries including devDependencies (e.g. picomatch via vitest/vite) even when they are not physically installed. The lockfile has no runtime purpose after npm ci completes, so delete it to ensure Scout only reports packages actually present in node_modules. * fix(docker): remove npm CLI from production image to eliminate bundled CVEs picomatch@4.0.3, brace-expansion@5.0.4, and ip-address@10.1.0 were all coming from /usr/local/lib/node_modules/npm — npm's own bundled packages shipped with node:24-alpine. The production container only needs the node binary to run the server; npm is unused at runtime. Removing npm + npx after npm ci drops the package count from 500 to 365 and eliminates all npm-ecosystem CVEs (0H 0M remaining from npm packages). Only busybox CVE-2025-60876 remains, which has no fix in Alpine 3.23. * fix(deps): remove client overrides and brace-expansion server override; audit fix brace-expansion ^2.0.3 in the client forced all installations to v2, breaking minimatch in CI (test:coverage path via @vitest/coverage-v8 -> test-exclude) which expects the named-export API of brace-expansion v5. The CVE it targeted (>=4.0.0,<5.0.5) was only in npm's own bundled packages, already eliminated by removing npm from the Docker image. Also removes picomatch and ip-address client overrides for the same reason: all three CVEs sourced from /usr/local/lib/node_modules/npm/, not app deps. Drops brace-expansion from server overrides (server uses v2.1.0, outside the affected range >=4.0.0). * fix(#981): align public share itinerary order with daily planner (#985) The public share page rendered daily items in a different order than the authenticated planner because it used a simplified, divergent merge algorithm. Five specific bugs: 1. shareService never loaded reservation_day_positions, so per-day transport positions were lost on the share page (fell back to day_plan_position ?? 999, pushing transports to the bottom). 2. Multi-day transports (overnight trains/flights) only appeared on their start day due to date-string filtering instead of day_id span logic. 3. Assignment-linked transports appeared twice (once as place, once as transport card) because the assignment_id exclusion was missing. 4. Time-based transport insertion was absent; missing positions used 999 instead of a computed fractional position from the place timeline. 5. created_at tiebreaker was missing for assignments and notes with equal order_index/sort_order, making order non-deterministic on the share page. Fix: extract the authoritative merge logic (parseTimeToMinutes, getSpanPhase, getDisplayTimeForDay, getTransportForDay, getMergedItems) from DayPlanSidebar into client/src/utils/dayMerge.ts and use it in both the planner and SharedTripPage. Enrich the shareService payload with day_positions from reservation_day_positions and add created_at tiebreakers to the assignment and day_notes ORDER BY clauses. * fix(#983): shift owner vacay entries when update_trip moves trip window updateTrip() now calls shiftOwnerEntriesForTripWindow() which looks up the owner's own vacay plan (not the active plan) and shifts all entries in the old date window by the same offset as the trip start date.
2026-05-10 22:03:15 +08:00
2. Emails: **mauriceboe@icloud.com**, **trek-security@jubnl.ch**
2026-03-19 23:16:47 +08:00
3. Include a description of the vulnerability and steps to reproduce
You will receive a response within 48 hours. Once confirmed, a fix will be released as soon as possible.
## Scope
This policy covers the TREK application and its Docker image (`mauriceboe/trek`).
2026-03-19 23:16:47 +08:00
Third-party dependencies are monitored via GitHub Dependabot.