Files
tfm_ainventory/dev_docs/SECURITY_REPORT.md
Daniel Bedeleanu 704934165f Build [v.1.3.6]
2026-04-11 17:14:22 +03:00

2.5 KiB

Security Audit Report - TFM aInventory

Date: 2026-04-11 Status: Completed & Patched

1. Executive Summary

This audit evaluated the security posture of the TFM aInventory system across Authentication, API Logic, Offline Synchronization, and Infrastructure. Major vulnerabilities like LDAP Injection and session redirect loops were identified and mitigated.

2. Audit Findings & Mitigations

2.1 LDAP Injection (CRITICAL - FIXED)

  • Vulnerability: The LDAP login flow interpolated the raw username into the DN template using .format(), allowing attackers to craft malicious DNs.
  • Impact: Potential unauthorized access or LDAP server manipulation.
  • Mitigation: Implemented escape_rdn_chars from ldap3.utils.conv to sanitize the username before it is injected into the DN template.

2.2 JWT Session Stability (MEDIUM - RESOLVED)

  • Vulnerability: In standalone mode, the system generated a new JWT_SECRET_KEY on every restart if not provided in the environment.
  • Impact: All active user sessions would be invalidated upon server restart, potentially causing data loss for unsynced offline operations.
  • Mitigation: Added documentation in USER_GUIDE.md on how to set a persistent JWT_SECRET_KEY. Standardized logout logic to prevent redirect loops when tokens become invalid.

2.3 Container Security (LOW - VERIFIED)

  • Review: Both Backend and Frontend Dockerfiles were audited for privilege escalation risks.
  • Status: Both use non-root users (appuser for backend, nextjs for frontend). File ownership is properly restricted.

2.4 Audit Log Integrity (LOW - VERIFIED)

  • Review: Can logs be deleted by standard users?
  • Status: Backend only exposes GET /operations/logs. There are no routes for deleting or modifying audit logs via the API. Integrity is maintained at the application layer.

2.5 OCR Prompt Injection (LOW - VERIFIED)

  • Review: Evaluated if malicious labels could hijack the LLM core.
  • Status: Risk is negligible as the LLM output is strictly constrained to a JSON schema used only for pre-filling a form. No code execution or privilege escalation is possible via this vector.
  • Rate Limiting: Currently applied to /extract-label. Consider applying it to all /users/login attempts to prevent brute-forcing local accounts.
  • CORS: Ensure ALLOWED_ORIGINS in docker-compose.yml is restricted to the specific production domain in the final environment.