security: address audit findings C-4 through M-8

Critical: - C-4: Add express-rate-limit to login (20 attempts/15min) - C-5: Remove default credentials from LoginForm.js - C-6: Add sandbox attribute to KB document iframe High: - H-2: Hard-fail on startup if SESSION_SECRET env var is missing - H-6: Sanitize filenames in Content-Disposition headers - H-7: Fix KB upload race condition — move file after DB insert succeeds - H-8: Generate random admin password in setup.js instead of hardcoded - H-9: Add rehype-sanitize to ReactMarkdown (requires npm install) Medium: - M-4: Fix loose equality (==) to strict (===) in users.js self-checks - M-5: Add hostname format regex validation in compliance notes - M-6: Fix vendor trim-before-validate in ivantiTodoQueue.js - M-7: Sanitize original filename in compliance temp JSON - M-8: Pull CSP frame-ancestors from CORS_ORIGINS env var New dependencies needed: - backend: express-rate-limit (npm install in root) - frontend: rehype-sanitize (npm install in frontend/)
2026-04-07 10:23:10 -06:00
parent 169a0d2337
commit 8a6a3485e9
11 changed files with 62 additions and 34 deletions
--- a/backend/routes/knowledgeBase.js
+++ b/backend/routes/knowledgeBase.js
@@ -92,22 +92,15 @@ function createKnowledgeBaseRouter(db, upload) {
    const slug = generateSlug(title);
    const kbDir = path.join(__dirname, '..', 'uploads', 'knowledge_base');

-    // Create directory if it doesn't exist
-    if (!fs.existsSync(kbDir)) {
-      fs.mkdirSync(kbDir, { recursive: true });
-    }
-
    const filename = `${timestamp}_${sanitizedName}`;
    const filePath = path.join(kbDir, filename);

    try {
-      // Move uploaded file to permanent location
-      fs.renameSync(uploadedFile.path, filePath);
-
+      // Keep file in temp location until DB insert succeeds
      // Check if slug already exists
      db.get('SELECT id FROM knowledge_base WHERE slug = ?', [slug], (err, row) => {
        if (err) {
-          fs.unlinkSync(filePath);
+          fs.unlinkSync(uploadedFile.path);
          console.error('Error checking slug:', err);
          return res.status(500).json({ error: 'Database error' });
        }
@@ -138,11 +131,22 @@ function createKnowledgeBaseRouter(db, upload) {
          ],
          function (err) {
            if (err) {
-              fs.unlinkSync(filePath);
+              fs.unlinkSync(uploadedFile.path);
              console.error('Error inserting knowledge base entry:', err);
              return res.status(500).json({ error: 'Failed to save document metadata' });
            }

+            // DB insert succeeded — now move file to permanent location
+            try {
+              if (!fs.existsSync(kbDir)) {
+                fs.mkdirSync(kbDir, { recursive: true });
+              }
+              fs.renameSync(uploadedFile.path, filePath);
+            } catch (moveErr) {
+              console.error('Error moving file to permanent location:', moveErr);
+              // File is orphaned in temp but DB record exists — log and continue
+            }
+
            // Log audit entry
            logAudit(db, {
              userId: req.user.id,
@@ -165,8 +169,8 @@ function createKnowledgeBaseRouter(db, upload) {
        );
      });
    } catch (error) {
-      // Clean up file on error
-      if (fs.existsSync(filePath)) fs.unlinkSync(filePath);
+      // Clean up temp file on error
+      if (uploadedFile && fs.existsSync(uploadedFile.path)) fs.unlinkSync(uploadedFile.path);
      console.error('Error uploading knowledge base document:', error);
      res.status(500).json({ error: error.message || 'Failed to upload document' });
    }
@@ -288,12 +292,14 @@ function createKnowledgeBaseRouter(db, upload) {
        contentType = 'text/plain; charset=utf-8';
      }

+      const safeFileName = row.file_name.replace(/["\r\n\\]/g, '');
      res.setHeader('Content-Type', contentType);
      // Use inline instead of attachment to allow browser to display
-      res.setHeader('Content-Disposition', `inline; filename="${row.file_name}"`);
+      res.setHeader('Content-Disposition', `inline; filename="${safeFileName}"`);
      // Allow iframe embedding from frontend origin
      res.removeHeader('X-Frame-Options');
-      res.setHeader('Content-Security-Policy', "frame-ancestors 'self' http://71.85.90.9:3000 http://localhost:3000");
+      const corsOrigins = process.env.CORS_ORIGINS ? process.env.CORS_ORIGINS.split(',').join(' ') : 'http://localhost:3000';
+      res.setHeader('Content-Security-Policy', `frame-ancestors 'self' ${corsOrigins}`);
      res.sendFile(row.file_path);
    });
  });
@@ -338,8 +344,9 @@ function createKnowledgeBaseRouter(db, upload) {
        ipAddress: req.ip
      });

+      const safeDownloadName = row.file_name.replace(/["\r\n\\]/g, '');
      res.setHeader('Content-Type', row.file_type || 'application/octet-stream');
-      res.setHeader('Content-Disposition', `attachment; filename="${row.file_name}"`);
+      res.setHeader('Content-Disposition', `attachment; filename="${safeDownloadName}"`);
      res.sendFile(row.file_path);
    });
  });