Skip to content

Security: fercarvalho/alya

Security

SECURITY.md

Security Policy

πŸ”’ Supported Versions

We release security updates for the following versions:

Version Supported Status
1.x βœ… Yes Current stable release
< 1.0 ❌ No Legacy, no longer supported

πŸ› Reporting a Vulnerability

We take security vulnerabilities seriously. If you discover a security issue, please follow these steps:

⚠️ DO NOT Create Public Issues

Do not disclose security vulnerabilities through public GitHub issues, discussions, or pull requests.

βœ… Responsible Disclosure Process

  1. Email us: fernando@viverdepj.com.br
  2. Subject: [SECURITY] Brief description of the issue
  3. Include:
    • Detailed description of the vulnerability
    • Steps to reproduce the issue
    • Potential impact assessment
    • Affected versions
    • Suggested fix (if available)
    • Your contact information

πŸ•’ What to Expect

  • Initial Response: Within 48 hours (weekdays)
  • Status Update: Within 5 business days
  • Fix Timeline:
    • Critical: 24-72 hours
    • High: 7 days
    • Medium: 14 days
    • Low: 30 days

🎁 Recognition

Security researchers who responsibly disclose vulnerabilities will be acknowledged in:

  • Release notes
  • SECURITY.md (with permission)
  • Hall of Fame (coming soon)

πŸ›‘οΈ Security Features

Current Implementation (v1.x)

Authentication & Authorization

  • βœ… JWT-based authentication with refresh tokens
  • βœ… Access tokens: 15-minute expiration
  • βœ… Refresh tokens: 7-day expiration with rotation
  • βœ… Bcrypt password hashing (cost factor: 10)
  • βœ… Rate limiting on authentication endpoints (100 req/15min)
  • βœ… Account lockout after failed login attempts
  • βœ… Secure password reset flow with time-limited tokens

Input Validation & Sanitization

  • βœ… Express-validator for input validation
  • βœ… Mongo-sanitize for NoSQL injection prevention
  • βœ… XSS-clean middleware
  • βœ… HPP (HTTP Parameter Pollution) protection
  • βœ… Prepared statements for SQL queries (100% coverage)

Security Headers

  • βœ… Helmet.js configured with:
    • Content Security Policy (CSP)
    • X-Content-Type-Options: nosniff
    • X-Frame-Options: DENY
    • X-XSS-Protection: 1; mode=block
    • Strict-Transport-Security (HSTS)
    • Referrer-Policy: no-referrer
  • βœ… CORS properly configured

Logging & Monitoring

  • βœ… Comprehensive audit logging system
  • βœ… Automated log rotation (90-day retention)
  • βœ… Sensitive data masking in logs (CPF, passwords)
  • βœ… Failed login attempt tracking
  • βœ… IP address and User-Agent logging

Dependency Management

  • βœ… Regular npm audit scans
  • βœ… Automated dependency updates via Dependabot
  • βœ… No known critical vulnerabilities

Data Protection

  • βœ… Sensitive environment variables (.env not committed)
  • βœ… Secrets rotation policy (every 6 months)
  • βœ… Password strength requirements enforced
  • βœ… HTTPS enforced in production
  • βœ… Secure cookie settings

πŸ“‹ Security Audit History

2026-03-04 - Comprehensive Security Audit

Auditor: Claude (Anthropic AI) Score: 8.5/10 OWASP Top 10 Compliance: 85%

Issues Fixed:

  1. βœ… CRITICAL: JWT_SECRET was weak β†’ Rotated to cryptographically strong secret
  2. βœ… CRITICAL: jspdf vulnerabilities (8 CVEs) β†’ Updated to v4.2.0
  3. βœ… HIGH: Refresh tokens not implemented β†’ Full implementation complete
  4. βœ… MEDIUM: Console.log in production β†’ Terser configured to remove
  5. βœ… MEDIUM: CORS hardcoded β†’ Moved to environment variables

Remaining Issues:

  1. ⚠️ HIGH: xlsx library vulnerability β†’ Documented as technical debt, mitigations in place
  2. ⚠️ LOW: CSP uses unsafe-inline β†’ Acceptable for internal app, nonce implementation planned

Full Report: SECURITY-AUDIT-REPORT.md

2026-03-03 - Initial Security Review

Auditor: Internal Team Score: 7.0/10

Issues Fixed:

  1. βœ… Implemented audit logging system
  2. βœ… Added rate limiting on sensitive endpoints
  3. βœ… Configured Helmet security headers
  4. βœ… Implemented input validation middleware

πŸ”„ Security Update Schedule

Routine Maintenance

  • Dependency Audits: Weekly (automated via Dependabot)
  • Manual Security Review: Monthly
  • Penetration Testing: Quarterly (planned)
  • Credential Rotation: Every 6 months

Next Scheduled Actions

  • Next Credential Rotation: 2026-09-03
  • Next Full Audit: 2026-06-03
  • Next Dependency Update: Automated (ongoing)

🚨 Known Vulnerabilities

Active

1. xlsx Library - Prototype Pollution & ReDoS

Severity: HIGH Discovered: 2026-03-03 Status: Documented as Technical Debt CVEs: Multiple (see npm audit)

Mitigation:

  • File size limits enforced (5MB)
  • Rate limiting on upload endpoints
  • Filename sanitization
  • User input validation
  • Uploads isolated from application code

Planned Fix: Migration to exceljs library (Q2 2026) Tracking: TECH-DEBT.md #1

Resolved

jspdf Multiple Vulnerabilities (Resolved 2026-03-03)

Severity: CRITICAL CVEs: LFI, PDF Injection, XSS, DoS, XMP Injection Fixed: Updated from v3.0.4 β†’ v4.2.0 Details: JSPDF-UPDATE-NOTES.md

Weak JWT Secret (Resolved 2026-03-03)

Severity: CRITICAL Issue: JWT_SECRET was potentially weak Fixed: Rotated to cryptographically strong 256-bit secret Details: SECURITY-CREDENTIALS-ROTATION.md

🎯 Scope

In Scope

  • βœ… Web application (frontend + backend API)
  • βœ… Authentication & authorization mechanisms
  • βœ… Data validation and sanitization
  • βœ… Session management
  • βœ… API endpoints
  • βœ… File upload functionality
  • βœ… Database interactions
  • βœ… Third-party dependencies

Out of Scope

  • ❌ Infrastructure (hosting, network, firewall)
  • ❌ Physical security
  • ❌ Social engineering
  • ❌ DDoS attacks (handled at infrastructure level)
  • ❌ DNS vulnerabilities

πŸ” Security Best Practices for Contributors

For Developers

1. Authentication

// βœ… GOOD: Use refresh tokens
const { accessToken, refreshToken } = await auth.login(username, password);

// ❌ BAD: Long-lived tokens
const token = jwt.sign(payload, secret, { expiresIn: '30d' });

2. Input Validation

// βœ… GOOD: Validate and sanitize
const schema = {
  email: { isEmail: true, normalizeEmail: true },
  amount: { isFloat: { min: 0 } },
};
app.post('/api/endpoint', validate(schema), handler);

// ❌ BAD: Trust user input
const { email, amount } = req.body;
await db.query(`INSERT INTO table VALUES ('${email}', ${amount})`);

3. SQL Queries

// βœ… GOOD: Prepared statements
await pool.query('SELECT * FROM users WHERE id = $1', [userId]);

// ❌ BAD: String concatenation
await pool.query(`SELECT * FROM users WHERE id = '${userId}'`);

4. Secrets Management

// βœ… GOOD: Environment variables
const apiKey = process.env.API_KEY;

// ❌ BAD: Hardcoded secrets
const apiKey = 'sk_live_1234567890abcdef';

5. Error Handling

// βœ… GOOD: Generic error messages to client
res.status(500).json({ error: 'Internal server error' });
console.error('Database error:', error); // Log detailed error server-side

// ❌ BAD: Expose internal details
res.status(500).json({ error: error.stack });

Security Checklist for Pull Requests

Before submitting a PR, verify:

  • No hardcoded secrets or API keys
  • All user inputs are validated and sanitized
  • SQL queries use prepared statements
  • Sensitive data is not logged
  • New endpoints have authentication/authorization
  • Rate limiting applied to sensitive endpoints
  • Error messages don't expose internal details
  • Dependencies are up to date (npm audit)
  • No console.log in production code
  • CORS properly configured for new endpoints
  • Audit logging added for sensitive operations

πŸ“š Security Resources

Internal Documentation

External Resources

πŸ† Hall of Fame

Security researchers who have responsibly disclosed vulnerabilities:

Date Researcher Vulnerability Severity
Coming soon - - -

πŸ“ž Contact

For security-related questions or concerns:

Response Time: Within 48 hours (weekdays)

πŸ“„ License

This security policy is part of the ALYA project and is provided for transparency and responsible disclosure.

Last Updated: 2026-03-04 Next Review: 2026-06-04 Version: 1.0

There aren't any published security advisories