geli
geli copied to clipboard
[Tracking] 🐛 BUG: Legacy security flaws
Numerous security flaws were accumulated in previous release cycles. The goal now is to fix these and eventually reach a release (presumably) without security issues.
Many tracked issues are bound to be mostly API-related, although some changes in the front-end may also be necessary as part of the fixes.
Completed issues
- Fixed numerous severe user related security issues. #691 #709
This primarily dealt with issues in the
UserController.ts
. - Fixed multiple severe course related security issues. #594 #653 #691
This primarily dealt with issues in the
CourseController.ts
. - Updated the dependencies for security. #661
- Disabled unused but existent
tutor
role. #710 (This was no direct security issue.) - Secured the static
uploads
route. #729 - Switch to cookie-based authentication. #840 (This is more of an improvement on the current
localStorage
-based system with separatemediaToken
s than a vulnerability by itself - except thatlocalStorage
could be targeted by XSS attacks.) - Comprehensive search for remaining legacy security flaws. #853
- Chat message forgery. #989 (Not really a legacy vulnerability, since the chat was introduced in the previous semester.)
Open issues
The audit (and now tracking) issue #853 describes various open vulnerabilities that may well not yet have their own issue (and thus aren't directly listed here either).