openclaw/oikos
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): address critical and high findings from security audit

Browse Source 
Fix stored XSS in tasks (titles/subtasks) and settings (member list)
by applying escHtml(). Harden trust proxy to loopback default, add
OAuth state parameter for Google Calendar CSRF protection, sanitize
CSV export against formula injection, invalidate sessions on user
deletion, restrict usernames to alphanumeric chars, and require admin
role for calendar sync triggers.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Ulas
2026-04-03 17:28:36 +02:00
parent 1122bd269b
commit 3d2604bab9
10 changed files with 96 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server/index.js
+3 -2
View File
@@ -60,8 +60,9 @@ app.use(helmet({
} : false,
}));
// Trust Proxy für korrekte IP hinter Nginx
app.set('trust proxy', 1);
// Trust Proxy: nur aktivieren wenn ein Reverse Proxy vorgeschaltet ist (TRUST_PROXY env var).
// Default 'loopback' akzeptiert nur X-Forwarded-For von localhost - verhindert IP-Spoofing.
app.set('trust proxy', process.env.TRUST_PROXY || 'loopback');
// --------------------------------------------------------
// Request-Parsing