3.8 KiB
3.8 KiB
dumpsterChat Codebase Audit Report
This document contains a comprehensive audit of the dumpsterChat repository, highlighting security vulnerabilities, functional bugs, dead code, and maintenance issues.
1. Security Vulnerabilities & Bypasses
🚨 Plaintext Webhook Tokens Stored in Database (Task 8 Regression/Incomplete) ✅ RESOLVED
- Location: internal/db/db.go, internal/webhook/handlers.go
- Fix: DROP COLUMN migration added, INSERT no longer stores plaintext
token.
🚨 Message and Channel Access Bypasses Role Permissions & Overrides
- Location: internal/message/handlers.go, internal/channel/handlers.go
- Description: Access to channel reading, message listing, and message posting is checked solely via server membership (
memberstable). Role permissions (likeVIEW_CHANNELorSEND_MESSAGES) and channel-level overrides (channel_overridestable) are completely ignored. - Impact: Any user who is a member of a server can read, search, and post messages in any channel on that server (including private, forum, calendar, or documentation channels), completely bypassing the permissions configuration system.
- Remediation: Update
requireChannelAccessinmessage.Handlerto usepermissions.Checkerto verify channel permission overrides and server roles.
⚠️ WebAuthn Session Cookie SameSite Laxity ✅ RESOLVED
- Location: internal/auth/cookie.go
- Fix: Changed to
http.SameSiteStrictMode.
⚠️ WebAuthn Session Cookie Secure Flag Relies on Env Var ✅ RESOLVED
- Location: internal/auth/cookie.go
- Fix: Default
securetotrueunlessCOOKIE_SECURE=falseexplicitly set.
2. Functional Bugs & Defects
🐛 User Avatar Cannot Be Changed ✅ RESOLVED
- Location: internal/auth/handlers.go
- Fix: Added
AvatarURLtoupdateProfileRequest, wired into SQL UPDATE foravatarcolumn.
🐛 TUI Client Auth Failure Fallback Bug ✅ RESOLVED
- Location: cmd/tui/auth.go
- Fix: Fallback reads into password variable instead of overwriting email.
3. Dead Code
🗑️ Unused ComputeChannelPermissions ✅ RESOLVED
- Location: internal/permissions/overrides.go
- Fix: Removed the unused function.
🗑️ Duplicated Permission Verification
- Location: internal/message/handlers.go
- Description: The
checkPermissionmethod inmessage.Handlerduplicates role checking queries instead of using thepermissions.Checkerstruct.
🗑️ Obsolete Handler Type ✅ RESOLVED
- Location: internal/message/handlers.go
- Fix: Removed
Handler_old.
4. Maintenance & Infrastructure
🧪 No Tests
- Description: There are zero unit or integration tests in the Go backend or React frontend (
go test ./...runs but finds no test files). - Remediation: Introduce tests for critical components such as permissions checking, message parsing, and session stores.
🔑 Hardcoded Valkey Password Placeholder ✅ RESOLVED
- Location: internal/config/config.go
- Fix: Default fallback set to
redis://localhost:6379.