security: address audit findings C-4 through M-8

Critical: - C-4: Add express-rate-limit to login (20 attempts/15min) - C-5: Remove default credentials from LoginForm.js - C-6: Add sandbox attribute to KB document iframe High: - H-2: Hard-fail on startup if SESSION_SECRET env var is missing - H-6: Sanitize filenames in Content-Disposition headers - H-7: Fix KB upload race condition — move file after DB insert succeeds - H-8: Generate random admin password in setup.js instead of hardcoded - H-9: Add rehype-sanitize to ReactMarkdown (requires npm install) Medium: - M-4: Fix loose equality (==) to strict (===) in users.js self-checks - M-5: Add hostname format regex validation in compliance notes - M-6: Fix vendor trim-before-validate in ivantiTodoQueue.js - M-7: Sanitize original filename in compliance temp JSON - M-8: Pull CSP frame-ancestors from CORS_ORIGINS env var New dependencies needed: - backend: express-rate-limit (npm install in root) - frontend: rehype-sanitize (npm install in frontend/)
2026-04-07 10:23:10 -06:00
parent 169a0d2337
commit 8a6a3485e9
11 changed files with 62 additions and 34 deletions
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -14,6 +14,7 @@
    "react-markdown": "^10.1.0",
    "react-scripts": "5.0.1",
    "recharts": "^3.8.1",
+    "rehype-sanitize": "^6.0.0",
    "web-vitals": "^2.1.4",
    "xlsx": "^0.18.5"
  },
--- a/frontend/src/components/KnowledgeBaseViewer.js
+++ b/frontend/src/components/KnowledgeBaseViewer.js
@@ -1,5 +1,6 @@
 import React, { useState, useEffect, useRef } from 'react';
 import ReactMarkdown from 'react-markdown';
+import rehypeSanitize from 'rehype-sanitize';
 import mermaid from 'mermaid';
 import { X, Download, Loader, AlertCircle, FileText, File } from 'lucide-react';

@@ -233,6 +234,7 @@ export default function KnowledgeBaseViewer({ article, onClose }) {
            {isMarkdown && (
              <div className="markdown-content">
                <ReactMarkdown
+                  rehypePlugins={[rehypeSanitize]}
                  components={{
                    code({ inline, className, children }) {
                      const lang = /language-(\w+)/.exec(className || '')?.[1];
@@ -277,6 +279,7 @@ export default function KnowledgeBaseViewer({ article, onClose }) {
            {isPDF && (
              <div className="w-full" style={{ height: '700px' }}>
                <iframe
+                  sandbox="allow-same-origin"
                  src={`${API_BASE}/knowledge-base/${article.id}/content`}
                  title={article.title}
                  className="w-full h-full rounded"
--- a/frontend/src/components/LoginForm.js
+++ b/frontend/src/components/LoginForm.js
@@ -98,12 +98,6 @@ export default function LoginForm() {
                        )}
                    </button>
                </form>
-
-                <div className="mt-6 pt-6 border-t border-intel-grid">
-                    <p className="text-sm text-gray-500 text-center font-mono">
-                        Default: <span className="text-intel-accent">admin</span> / <span className="text-intel-accent">admin123</span>
-                    </p>
-                </div>
            </div>
        </div>
    );