azaion/ui
1
0
Fork 0
mirror of https://github.com/azaion/ui.git synced 2026-06-21 10:41:10 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
feat/admin-page
ui/_docs/05_security/dependency_scan.md
T
Oleksandr Bezdieniezhnykh f7dd6c98d8
ci/woodpecker/push/build-arm Pipeline failed
Details
[AZ-501] [AZ-502] Cycle 2 Step 14 security audit + inline fixes 
Security audit (5 phases) → reports under _docs/05_security/.

AZ-501 (F-SAST-1, HIGH): Externalize hardcoded Google Geocode key
from mission-planner/src/config.ts to VITE_GOOGLE_GEOCODE_KEY via
new GeocodeService.ts; fail-soft warn when unset; STC-SEC1D static
deny-list gate; +5 unit tests in tests/mission_planner_geocode.test.ts.

AZ-502 (F-DEP-1, HIGH): Force vite>=6.4.2 and postcss>=8.5.10 via
package.json overrides in both roots; clean reinstall clears all
bun audit advisories.

Test-spec sync (Step 12) + Update Docs (Step 13) deltas: AC-43, AC-44,
NFT-SEC-09b, FT-P-61, FT-N-17, ripple log, batch_12 report.

Pending user actions: revoke Google + OWM keys (AC-6 / AZ-499 AC-7).

229 PASS / 13 SKIP / 0 FAIL on static + fast suites.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-12 05:31:11 +03:00

106 lines
4.9 KiB
Markdown
Raw Permalink Blame History

# Dependency Scan — Azaion UI
**Date**: 2026-05-12
**Scope**: `package.json` + `bun.lock` (root) and `mission-planner/package.json` + `mission-planner/bun.lock`
**Tool**: `bun audit v1.3.11` (the project's pinned package manager)
**Cycle**: Phase B / Cycle 2 (post AZ-498, AZ-499)
---
## Summary
| Severity | Count | Packages |
|----------|-------|----------|
| Critical | 0 | — |
| High | 1 | `vite` (dev-server only) |
| Moderate | 2 | `vite` (dev-server only), `postcss` (build-time, low surface) |
| Low | 0 | — |
**Both roots (main `ui/` and `mission-planner/`) report the SAME advisory set** — they share the same Vite 6.x + PostCSS 8.5.x major versions.
## Findings
### F-DEP-1 — Vite Arbitrary File Read via Dev Server WebSocket — HIGH
| Field | Value |
|-------|-------|
| Advisory | [GHSA-p9ff-h696-f583](https://github.com/advisories/GHSA-p9ff-h696-f583) |
| Package | `vite` |
| Installed | `6.4.1` (resolved in `bun.lock`) |
| Affected | `vite <= 6.4.1` |
| Fix | Upgrade to `vite >= 6.4.2` (or latest 6.x), or `bun update` |
| Found via | `bun audit` |
| Roots | `ui/` (direct), `mission-planner/` (direct) |
**Production impact**: **NONE.** The Vite dev server is only used during `bun run dev` and `vitest` (test). Production runs `nginx:alpine` serving pre-built static assets from `dist/` (`Dockerfile:8-12`). The Vite WebSocket endpoint does not exist in production.
**Developer-machine impact**: **HIGH** in dev. An attacker on the same network as a developer running `bun run dev` (default `--host` exposes `0.0.0.0`) can read arbitrary files from the developer's filesystem via the WebSocket path traversal. Mitigation: bind dev server to `localhost` only (Vite default unless `--host` is passed).
**Remediation**:
1. `bun update vite` in both roots (drops in-range to `6.4.2+`).
2. Verify build passes (`bun run build`) and fast tests stay green (`scripts/run-tests.sh fast`).
3. CI would-have-blocked check: add `bun audit --high` exit-code gate to `.woodpecker/build-arm.yml` (Phase B follow-up — see infrastructure review).
### F-DEP-2 — Vite Path Traversal in Optimized Deps `.map` Handling — MODERATE
| Field | Value |
|-------|-------|
| Advisory | [GHSA-4w7w-66w2-5vf9](https://github.com/advisories/GHSA-4w7w-66w2-5vf9) |
| Package | `vite` |
| Installed | `6.4.1` |
| Affected | `vite <= 6.4.1` |
| Fix | Upgrade to `vite >= 6.4.2` (same upgrade as F-DEP-1) |
| Found via | `bun audit` |
| Roots | `ui/` (direct), `mission-planner/` (direct) |
**Production impact**: **NONE** — same reason as F-DEP-1; production has no Vite dev server.
**Developer-machine impact**: **MODERATE** — path traversal on `/optimized-deps/<…>.map` paths during dev sessions.
**Remediation**: same upgrade as F-DEP-1 (single `bun update vite` resolves both).
### F-DEP-3 — PostCSS XSS via Unescaped `</style>` in CSS Stringify Output — MODERATE
| Field | Value |
|-------|-------|
| Advisory | [GHSA-qx2v-qp2m-jg93](https://github.com/advisories/GHSA-qx2v-qp2m-jg93) |
| Package | `postcss` (transitive: `vite > postcss`) |
| Installed | `8.5.8` (resolved in `bun.lock`) |
| Affected | `postcss < 8.5.10` |
| Fix | Upgrade to `postcss >= 8.5.10` (transitive — flows through `vite >= 6.4.2`) |
| Found via | `bun audit` |
| Roots | `ui/` (transitive), `mission-planner/` (transitive) |
**Production impact**: **LOW.** The advisory affects code that takes UNTRUSTED CSS as input and feeds it to PostCSS to stringify; the result is then injected into a page, allowing `</style>` breakout → XSS. In this project PostCSS only processes:
- `src/index.css` (controlled, in-repo)
- Tailwind-generated CSS (via `@tailwindcss/vite` 4.2.2, controlled inputs)
- No user-supplied CSS is ever processed.
There is no exploit path in this codebase today. Treat as a hygiene upgrade.
**Build-time impact**: PostCSS runs at build time. The vulnerability surfaces only with attacker-controlled CSS input, which does not occur in this build.
**Remediation**: same upgrade as F-DEP-1/F-DEP-2 (transitive resolution lifts `postcss` to `>= 8.5.10`).
## Combined Remediation
A single command fixes all three findings in both roots:
```bash
bun update vite # in ui/
cd mission-planner && bun update vite
```
Then re-run `bun audit` in both roots to confirm zero findings.
## CI Coverage Gap
`.woodpecker/build-arm.yml` does NOT run `bun audit` today (confirmed by file inspection). The current pipeline catches only static-analysis regressions (`scripts/run-tests.sh static`), not new CVEs entering the lockfile. This is a **MEDIUM** infrastructure finding — see `infrastructure_review.md` F-INF-1.
## Self-verification
- [x] Both `package.json` manifests scanned (`ui/` + `mission-planner/`)
- [x] Each finding has a GHSA advisory ID
- [x] Upgrade paths identified for the High and Moderate findings (single `bun update vite`)
- [x] Production vs. dev impact distinguished for every finding
Reference in New Issue View Git Blame Copy Permalink