NW
|
de415633be
|
feat(security): Phase 1 — critical security fixes and hardening
- #42: Remove hardcoded ENCRYPTION_KEY fallback from config.js,
add startup validation for BOT_TOKEN and ENCRYPTION_KEY length
- #43: Fix SQL injection vulnerabilities — add ALLOWED_TABLES
whitelist in database.js, ALLOWED_USER_FIELDS in userService.js,
validate table names before PRAGMA
- #44: Fix race condition in purchaseService.js — wrap createPurchase
in BEGIN IMMEDIATE TRANSACTION, add atomic balance/stock checks
- #41: Move all secrets from docker-compose.yml to .env file,
use env_file directive
- #45: Replace MD5 tx_hash with crypto.randomUUID()
- #46: Upgrade KDF from SHA-256 to HKDF for mnemonic encryption,
add backward compatibility for legacy format
- #47: Add input validation across all handlers — walletType
whitelist, string length limits, numeric ID checks, price bounds
New files:
- src/utils/encryption.js (HKDF key derivation)
- src/__tests__/security.test.js (SQL injection prevention tests)
Closes: #41, #42, #43, #44, #45, #46, #47
|
2026-06-17 21:52:49 +01:00 |
|
