Skip to content

Implement security audit recommendations#32

Merged
alari76 merged 1 commit intomainfrom
fix/security-audit-hardening
Mar 9, 2026
Merged

Implement security audit recommendations#32
alari76 merged 1 commit intomainfrom
fix/security-audit-hardening

Conversation

@alari76
Copy link
Copy Markdown
Contributor

@alari76 alari76 commented Mar 9, 2026

Summary

  • H1: Fix SSRF in Stepflow callback — invert allowedCallbackHosts guard to deny-by-default when unconfigured
  • H2: Move auth token off WebSocket URL — use post-connect auth message handshake instead of query string to prevent log/referrer exposure
  • H3: Stop forwarding master auth token to child processes — derive session-scoped HMAC tokens with limited privileges
  • M1: Require explicit CORS_ORIGIN in production (NODE_ENV=production exits if unset)
  • M3: Add per-IP WebSocket connection rate limiting (30/min) before handshake
  • M4: Enforce 0600 permissions on all persisted state files (sessions, approvals, workflow config)
  • M5: Add regex-based secret redaction to bash command logging (Bearer tokens, passwords, API keys)
  • M6: Replace execSync('claude --version') with execFileSync to avoid shell invocation
  • L1: Add Content-Security-Policy, Permissions-Policy, Strict-Transport-Security (production), change X-Frame-Options to DENY
  • L3: Wrap createWorkspace in try/finally to clean up partial workspaces on failure
  • L4: Tighten clone endpoint validation — reject names starting with . (blocks .git, ..)

Addresses all findings from the 2026-03-09 security audit.

Test plan

  • All 855 existing tests pass
  • Build succeeds with no errors
  • Lint passes with 0 errors (only pre-existing warnings)
  • Verify WebSocket auth message handshake works in browser
  • Verify hook endpoints accept session-scoped tokens from child processes
  • Verify Stepflow callbacks are rejected when STEPFLOW_CALLBACK_HOSTS is unset

🤖 Generated with Claude Code

@alari76 @claude
Implement security audit recommendations (H1-H3, M1-M6, L1-L4)
94b498e 
Address all findings from the 2026-03-09 security audit:

High: Fix SSRF deny-by-default in Stepflow callbacks, move auth
token off WebSocket URL to post-connect message, replace master
auth token with HMAC-derived session-scoped tokens for child
processes.

Medium: Enforce CORS_ORIGIN in production, add per-IP WebSocket
rate limiting, set 0600 on persisted state files, add secret
redaction to command logging, replace execSync with execFileSync.

Low: Add CSP/HSTS/Permissions-Policy headers, wrap workspace
setup in try/finally for cleanup, tighten clone endpoint
name validation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@alari76 alari76 merged commit 9767eef into main Mar 9, 2026
2 checks passed
@alari76 alari76 deleted the fix/security-audit-hardening branch March 10, 2026 05:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@alari76