215f931311
- Add CheckChannelPermission to permissions.Checker (layers channel overrides on top of role permissions) - Refactor requireChannelAccess to accept required permission bitmap - Message Create checks SEND_MESSAGES; List/Search check VIEW_CHANNEL - BulkDelete uses Checker.CheckPermission for MANAGE_MESSAGES - Channel handler List filters out channels user cannot view - Remove dead checkPermission method from message handler - Fix frontend avatar upload: parse response URL, call updateProfile
3.9 KiB
3.9 KiB
dumpsterChat Codebase Audit Report
This document contains a comprehensive audit of the dumpsterChat repository, highlighting security vulnerabilities, functional bugs, dead code, and maintenance issues.
1. Security Vulnerabilities & Bypasses
🚨 Plaintext Webhook Tokens Stored in Database ✅ RESOLVED
- Location: internal/db/db.go, internal/webhook/handlers.go
- Fix: Plaintext token column has been dropped via DDL migration (
ALTER TABLE webhooks DROP COLUMN IF EXISTS token;), and webhook creation no longer stores plaintext tokens in the database.
🚨 Message and Channel Access Bypasses Role Permissions & Overrides ✅ RESOLVED
- Location: internal/message/handlers.go, internal/channel/handlers.go
- Fix: Added
CheckChannelPermissionmethod topermissions.Checkerthat layers channel overrides on top of role permissions. UpdatedrequireChannelAccessto accept a required permission bitmap — message Create checksSEND_MESSAGES, List/Search checkVIEW_CHANNEL, BulkDelete usesCheckPermissionforMANAGE_MESSAGES. Channel handler List now filters out channels the user cannot view.
⚠️ WebAuthn Session Cookie SameSite Laxity ✅ RESOLVED
- Location: internal/auth/cookie.go
- Fix: Changed SameSite configuration to
http.SameSiteStrictMode.
⚠️ WebAuthn Session Cookie Secure Flag Relies on Env Var ✅ RESOLVED
- Location: internal/auth/cookie.go
- Fix: Default
secureis now set totrueunlessCOOKIE_SECURE=falseis explicitly set in environment variables.
2. Functional Bugs & Defects
🐛 User Avatar Cannot Be Changed ✅ RESOLVED
- Location: internal/auth/handlers.go, web/src/components/UserSettings.tsx
- Fix: Backend accepts
avatar_urlin PATCH profile. Frontend upload now parses the returned URL and callsupdateProfileto save it.UpdateProfilePayloadtype also gained theavatar_urlfield.
🐛 TUI Client Auth Failure Fallback Bug ✅ RESOLVED
- Location: cmd/tui/auth.go
- Fix: Correctly handles password input via fallback
pwLinescanner without overwriting the user's email address.
3. Dead Code
🗑️ Unused ComputeChannelPermissions ✅ RESOLVED
- Location: internal/permissions/overrides.go
- Fix: Unused function removed from the package.
🗑️ Duplicated Permission Verification ✅ RESOLVED
- Location: internal/message/handlers.go
- Fix: Removed the dead
checkPermissionmethod. Callers now use theCheckerfrom thepermissionspackage and its newCheckChannelPermissionmethod.
🗑️ Obsolete Handler Type ✅ RESOLVED
- Location: internal/message/handlers.go
- Fix: Removed obsolete
Handler_oldstruct definition.
4. Maintenance & Infrastructure
🧪 No Tests
- Description: There are zero unit or integration tests in the Go backend or React frontend (
go test ./...runs but finds no test files). - Remediation: Introduce tests for critical components such as permissions checking, message parsing, and session stores.
🔑 Hardcoded Valkey Password Placeholder ✅ RESOLVED
- Location: internal/config/config.go
- Fix: Default fallback URL set to
redis://localhost:6379.