Skip to content

Security Review — 2026-06-03 — security-warning#93

Open
jdrumgoole wants to merge 1 commit into
mainfrom
security-review/2026-06-03
Open

Security Review — 2026-06-03 — security-warning#93
jdrumgoole wants to merge 1 commit into
mainfrom
security-review/2026-06-03

Conversation

@jdrumgoole

Copy link
Copy Markdown
Owner

Summary

Daily security audit of the WineBox project. 2 WARNING findings identified through deeper audit coverage, plus 21 INFO-level items (16 carried forward, 5 new).

WARNING findings

  • Unbounded skip parameter on 7 endpoints — allows authenticated users to force MongoDB to scan arbitrarily many documents. The X-Wines endpoint already caps skip at 10,000; other endpoints should match. Fix: add le=10000 to all skip query parameters.
  • Missing rate limits on regstack account management routeschange_email, confirm_email_change, and delete_account routes default to unlimited. The change_email endpoint triggers verification emails and could be used for email spam at 60 req/min. Fix: add rate limits to _RATE_LIMITS dict in regstack_setup.py.

New INFO findings (5)

  • Weaker escapeHtml() in price-tracker.js and admin.js (doesn't escape quotes for attribute context)
  • Landing page served directly by nginx lacks CSP header
  • Nginx HSTS header missing includeSubDomains; preload on server-level directives
  • OCSP stapling not enabled in nginx SSL config
  • Missing timeouts on HTTP requests in scripts/setup_digitalocean_fastmail_dns.py

Carried forward (16 INFO)

No change from 2026-06-01 review. Full details in the report.

https://claude.ai/code/session_01SUvxKnH2ddPnC7PmYKyrdo


Generated by Claude Code

2 WARNING findings (unbounded skip parameters, missing regstack rate limits),
21 INFO findings (16 carried forward, 5 new).

https://claude.ai/code/session_01SUvxKnH2ddPnC7PmYKyrdo
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants