docs: add comprehensive security audit report

[schartrand77]

Motivation

• Provide a single, actionable security audit that inventories dependency vulnerabilities and surfaces high-risk application issues uncovered by targeted manual review.
• Drive immediate remediation for critical runtime risks (XML parsing in 3MF processing), CSRF gaps on state-changing routes, and spoofable IP-based rate limiting.

Description

• Add a new audit document at docs/security-audit-2026-02-23.md containing methodology, an executive summary, detailed findings, a full npm audit vulnerability inventory, and a prioritized remediation plan.
• Call out three high-risk application issues: a critical DoS path via fast-xml-parser used for 3MF uploads, inconsistent same-origin CSRF enforcement on mutation routes (notably upload and many admin endpoints), and rate-limit keys that trust spoofable X-Forwarded-* headers.
• Provide concrete recommendations such as upgrading vulnerable deps, adding CSRF/mutation guards, tightening forwarding header trust boundaries, and adding CI dependency scanning and security regression tests.

Testing

• Ran npm audit --json, which executed successfully and reported the vulnerability inventory (50 findings: 1 critical, 42 high, 5 moderate, 2 low).
• Performed automated code discovery and pattern checks using rg to locate risky primitives and review areas of interest.
• Inspected relevant files for manual review using sed/file reads (lib/csrf.ts, app/api/upload/route.ts, lib/auth.ts, lib/rate-limit.ts, and auth/register/login routes) to validate the findings above.

---

Codex Task

Summary by Sourcery

Documentation:

• Add a new security audit document detailing dependency vulnerabilities, high-risk application issues, and a prioritized remediation plan.

[sourcery-ai]

Reviewer's Guide

Adds a new standalone security audit report document detailing current dependency vulnerabilities, three high‑risk application security issues, and a prioritized remediation plan, including methodology and commands used to generate the findings.

Sequence diagram for 3MF upload parsing and XML DoS risk

sequenceDiagram
    actor User
    participant Browser
    participant AppServer
    participant ModelPreviewQueue
    participant XMLParser

    User->>Browser: Select 3MF file and submit upload
    Browser->>AppServer: POST api_upload_route 3MF file
    AppServer->>ModelPreviewQueue: Enqueue 3MF preview job
    ModelPreviewQueue->>XMLParser: Parse 3MF XML internals
    XMLParser-->>ModelPreviewQueue: Parsed model data or error
    ModelPreviewQueue-->>AppServer: Preview state update
    AppServer-->>Browser: Upload response and preview status

    rect rgb(255,200,200)
        User->>XMLParser: Crafted XML with entity expansion payload
        XMLParser-->>XMLParser: Excessive CPU and memory usage
        XMLParser-->>AppServer: Service degradation or crash
    end

    rect rgb(200,235,255)
        AppServer->>XMLParser: Enforce size limits and timeouts
        AppServer->>XMLParser: Offload parsing to isolated worker
    end

Loading

Sequence diagram for state-changing request without CSRF enforcement

sequenceDiagram
    actor Attacker
    participant VictimBrowser
    participant AppServer

    Attacker->>VictimBrowser: Malicious page with hidden POST form
    VictimBrowser->>AppServer: POST api_admin_mutation with cookies
    AppServer->>AppServer: requireAdmin authentication check
    AppServer->>AppServer: Missing isSameOriginRequest check
    AppServer-->>VictimBrowser: 200 OK and state changed

    rect rgb(200,235,255)
        VictimBrowser->>AppServer: POST api_admin_mutation with cookies
        AppServer->>AppServer: MutationGuard authenticate and authorize
        AppServer->>AppServer: isSameOriginRequest validation
        AppServer-->>VictimBrowser: Reject cross-origin request on failure
    end

Loading

Sequence diagram for rate limiting with spoofable forwarding headers

sequenceDiagram
    actor Client
    participant ReverseProxy
    participant AppServer
    participant RateLimiter

    Client->>ReverseProxy: HTTP request with x_forwarded_for 1_2_3_4
    ReverseProxy->>AppServer: Forward request and headers
    AppServer->>AppServer: getRequestIp reads x_forwarded_for directly
    AppServer->>RateLimiter: Check limit key ip_1_2_3_4
    RateLimiter-->>AppServer: Allow request

    rect rgb(255,200,200)
        Client->>ReverseProxy: Send repeated requests with varying x_forwarded_for
        AppServer->>RateLimiter: New rate limit key per spoofed IP
        RateLimiter-->>AppServer: Throttling effectively bypassed
    end

    rect rgb(200,235,255)
        Client->>ReverseProxy: HTTP request without trusted headers
        ReverseProxy->>AppServer: Add sanitized x_forwarded_for from real client IP
        AppServer->>AppServer: getRequestIp trust headers only from ReverseProxy
        AppServer->>RateLimiter: Check combined key real_ip plus account_or_email
        RateLimiter-->>AppServer: Enforce robust limits
    end

Loading

Flow diagram for prioritized security remediation plan

flowchart TB
    Start["Start remediation work"]

    Start --> Immediate["Immediate same day tasks"]
    Immediate --> PatchDeps["Patch fast_xml_parser next nodemailer and other direct vulnerable dependencies"]
    Immediate --> AddCSRF["Add CSRF checks to all authenticated state changing routes"]

    Immediate --> ShortTerm["Short term 1 to 3 days"]
    ShortTerm --> HardenRateLimit["Harden rate limiting IP trust boundary"]
    ShortTerm --> TestsBypass["Add integration tests for CSRF and rate limit bypass attempts"]

    ShortTerm --> MediumTerm["Medium term 1 to 2 weeks"]
    MediumTerm --> CIScanning["Introduce continuous dependency scanning in CI with fail thresholds"]
    MediumTerm --> SecRegression["Add security regression tests for upload parsing and admin mutation endpoints"]

    SecRegression --> End["Security posture improved"]

Loading

File-Level Changes

Change	Details	Files
Documented a comprehensive security audit including findings, dependency vulnerability inventory, and remediation plan.	Added scope and methodology for the audit including automated and manual review techniques. Summarized overall dependency vulnerability counts and three high‑risk application issues. Described each major application finding with severity, impact, evidence, and recommended remediation steps. Included a full npm audit vulnerability inventory table enumerating affected packages and severities. Outlined a prioritized remediation plan with immediate, short‑term, and medium‑term actions, plus commands used to produce the report.	docs/security-audit-2026-02-23.md

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've left some high level feedback:

• Consider capturing the exact npm audit context (Node/npm versions, lockfile hash, date/time, and whether this was run with --production) so that the vulnerability inventory is reproducible and clearly scoped to the environment audited.
• For the critical fast-xml-parser and other high-risk dependencies, it may help to reference the specific advisory IDs (e.g., GHSA/CVE) or minimum safe versions so that remediation work can be directly tied to upstream fixes.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Consider capturing the exact `npm audit` context (Node/npm versions, lockfile hash, date/time, and whether this was run with `--production`) so that the vulnerability inventory is reproducible and clearly scoped to the environment audited.
- For the critical `fast-xml-parser` and other high-risk dependencies, it may help to reference the specific advisory IDs (e.g., GHSA/CVE) or minimum safe versions so that remediation work can be directly tied to upstream fixes.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}