jramos/cve-dashboard - cve-dashboard - Apophis Networking

jramos/cve-dashboard

Author	SHA1	Message	Date
jramos	8a6a3485e9	security: address audit findings C-4 through M-8 Critical: - C-4: Add express-rate-limit to login (20 attempts/15min) - C-5: Remove default credentials from LoginForm.js - C-6: Add sandbox attribute to KB document iframe High: - H-2: Hard-fail on startup if SESSION_SECRET env var is missing - H-6: Sanitize filenames in Content-Disposition headers - H-7: Fix KB upload race condition — move file after DB insert succeeds - H-8: Generate random admin password in setup.js instead of hardcoded - H-9: Add rehype-sanitize to ReactMarkdown (requires npm install) Medium: - M-4: Fix loose equality (==) to strict (===) in users.js self-checks - M-5: Add hostname format regex validation in compliance notes - M-6: Fix vendor trim-before-validate in ivantiTodoQueue.js - M-7: Sanitize original filename in compliance temp JSON - M-8: Pull CSP frame-ancestors from CORS_ORIGINS env var New dependencies needed: - backend: express-rate-limit (npm install in root) - frontend: rehype-sanitize (npm install in frontend/)	2026-04-07 10:23:10 -06:00
jramos	c50fc5d8a8	fix: address all 11 review items for group-based access control Bugs fixed: - knowledgeBase.js: logAudit calls converted from positional args to object signature - archerTickets.js: targetType/targetId renamed to entityType/entityId - server.js: single CVE delete now has cascade/compliance check for Standard_User Unprotected endpoints secured: - ivantiTodoQueue.js: POST/PUT/DELETE now require Admin or Standard_User - ivantiFindings.js: PUT note and POST sync now require Admin or Standard_User - compliance.js: POST notes now requires Admin or Standard_User - ivantiWorkflows.js: POST sync now requires Admin or Standard_User - auth.js: cleanup-sessions now requires Admin via requireAuth + requireGroup Additional fixes: - ExportsPage.js: canExport() guard blocks Read_Only users - knowledgeBase.js: Standard_User delete checks created_by ownership - Migration: added INSERT/UPDATE triggers to enforce valid user_group values	2026-04-07 10:09:18 -06:00
jramos	e9e2c0961d	fix: address all 11 review items for group-based access control Bugs fixed: - knowledgeBase.js: logAudit calls converted from positional args to object signature - archerTickets.js: targetType/targetId renamed to entityType/entityId - server.js: single CVE delete now has cascade/compliance check for Standard_User Unprotected endpoints secured: - ivantiTodoQueue.js: POST/PUT/DELETE now require Admin or Standard_User - ivantiFindings.js: PUT note and POST sync now require Admin or Standard_User - compliance.js: POST notes now requires Admin or Standard_User - ivantiWorkflows.js: POST sync now requires Admin or Standard_User - auth.js: cleanup-sessions now requires Admin via requireAuth + requireGroup Additional fixes: - ExportsPage.js: canExport() guard blocks Read_Only users - knowledgeBase.js: Standard_User delete checks created_by ownership - Migration: added INSERT/UPDATE triggers to enforce valid user_group values	2026-04-07 09:52:26 -06:00
jramos	73fd747576	feat: implement group-based access control (Admin, Standard_User, Leadership, Read_Only) - Add user_group migration and created_by column migration - Replace requireRole middleware with requireGroup - Update all backend routes to use group-based authorization - Add Standard_User conditional delete with ownership, state, and compliance checks - Add cascade impact check for CVE deletes - Update AuthContext with group-based permission helpers - Update all frontend components for group-based rendering - Update UserManagement UI with group dropdown, confirmation dialogs, self-demotion prevention	2026-04-06 16:18:07 -06:00
jramos	3b37646b6d	Fixed issue with upload doctype	2026-02-17 08:52:26 -07:00
jramos	241ff16bb4	Fix: Allow iframe embedding from frontend origin using CSP frame-ancestors	2026-02-13 11:14:59 -07:00
jramos	79a1a23002	Added knowledge base enhancements for documentation viewing and preloaded Ivanti config for next feature	2026-02-13 09:43:09 -07:00