6.1 KiB
6.1 KiB
dumpsterChat Codebase Audit Report
This document contains a comprehensive audit of the dumpsterChat repository, highlighting security vulnerabilities, functional bugs, dead code, and maintenance issues.
1. Security Vulnerabilities & Bypasses
🚨 Plaintext Webhook Tokens Stored in Database (Task 8 Regression/Incomplete)
- Location: internal/db/db.go, internal/webhook/handlers.go
- Description: While a
token_hashcolumn and SHA-256 validation were added to execute webhooks securely, the database migrations did not drop the plaintexttokencolumn. Furthermore, when webhooks are created, the handler still inserts the plaintext token directly into thetokencolumn alongsidetoken_hash. - Impact: If the database is compromised, an attacker can retrieve all webhook tokens in plaintext, bypassing the security gains of hashing.
- Remediation: Drop the
tokencolumn from the database schema and modify theINSERTquery inCreatewebhook handler to only storetoken_hash.
🚨 Message and Channel Access Bypasses Role Permissions & Overrides
- Location: internal/message/handlers.go, internal/channel/handlers.go
- Description: Access to channel reading, message listing, and message posting is checked solely via server membership (
memberstable). Role permissions (likeVIEW_CHANNELorSEND_MESSAGES) and channel-level overrides (channel_overridestable) are completely ignored. - Impact: Any user who is a member of a server can read, search, and post messages in any channel on that server (including private, forum, calendar, or documentation channels), completely bypassing the permissions configuration system.
- Remediation: Update
requireChannelAccessinmessage.Handlerto usepermissions.Checkerto verify channel permission overrides and server roles.
⚠️ WebAuthn Session Cookie SameSite Laxity
- Location: internal/auth/cookie.go
- Description: The session cookie's
SameSiteattribute is set tohttp.SameSiteDefaultMode(which modern browsers default toSameSite=Lax). For session tokens,StrictModeor explicitLaxModeis highly recommended to protect against CSRF. - Remediation: Change
SameSitetohttp.SameSiteStrictModeorhttp.SameSiteLaxModeexplicitly.
⚠️ WebAuthn Session Cookie Secure Flag Relies on Env Var
- Location: internal/auth/cookie.go
- Description: The
Secureflag on the session cookie is determined byos.Getenv("COOKIE_SECURE") == "true". If this environment variable is misconfigured or omitted in production, the session cookie will be sent over unencrypted HTTP connections. - Remediation: Default
securetotrueor check if the incoming request is served over HTTPS to automatically enable/disable it.
2. Functional Bugs & Defects
🐛 User Avatar Cannot Be Changed
- Location: internal/auth/handlers.go, internal/upload/handlers.go, web/src/components/UserSettings.tsx
- Description: The file upload endpoint
/api/v1/uploaduploads a file and returns its URL, but does not associate it with the user. TheUpdateProfilehandler (PATCH /auth/me) does not accept an avatar field in its payload, meaning there is no way to update the user's avatar database column. The frontend settings page allows uploading a new avatar, but since it is never saved to the profile, it reverts to the Gravatar on the next load. - Remediation: Add
AvatarURLto theupdateProfileRequestpayload and update the database query inUpdateProfileto set theavatarcolumn.
🐛 TUI Client Auth Failure Fallback Bug
- Location: cmd/tui/auth.go
- Description: If
term.ReadPasswordfails during TUI login, the fallback code runsfmt.Scanln(&email)instead of reading the password, which overwrites the user's email with whatever password they type. - Remediation: Change
fmt.Scanln(&email)to read into a password variable (e.g.var password string; fmt.Scanln(&password)).
3. Dead Code
🗑️ Unused ComputeChannelPermissions
- Location: internal/permissions/overrides.go
- Description: The helper method
ComputeChannelPermissions(which properly layers channel-level overrides on top of server-wide role permissions) is never called anywhere in the active codebase.
🗑️ Duplicated Permission Verification
- Location: internal/message/handlers.go
- Description: The
checkPermissionmethod inmessage.Handlerduplicates role checking queries instead of using thepermissions.Checkerstruct.
🗑️ Obsolete Handler Type
- Location: internal/message/handlers.go
- Description:
Handler_oldis declared but never instantiated or used.
4. Maintenance & Infrastructure
🧪 No Tests
- Description: There are zero unit or integration tests in the Go backend or React frontend (
go test ./...runs but finds no test files). - Remediation: Introduce tests for critical components such as permissions checking, message parsing, and session stores.
🔑 Hardcoded Valkey Password Placeholder
- Location: internal/config/config.go
- Description: The default fallback
VALKEY_URLcontains a masked password placeholder (redis://localhost:***@example.com), which is invalid. - Remediation: Default fallback to a simple local endpoint without authentication (e.g.,
redis://localhost:6379).