Tar Slip (CWE-22) — 3 import services:
threat_actor, lolbas, caldera: add path validation before extractall()
to prevent malicious zip members with ../ escaping the target directory.
(sigma, elastic, atomic already had this protection)
Path Traversal (CWE-23) — professional_reports.py:
Add _assert_safe_report_path() check on all 5 report endpoints to
verify the generated filepath stays within REPORT_OUTPUT_DIR.
Open Redirect (CWE-601) — sso.py:
Validate IdP redirect URL scheme (must be http/https) before
issuing RedirectResponse, blocking javascript: and data: redirects.
DOM XSS (CWE-79) — 4 frontend pages:
Create src/utils/url.ts with safeUrl() that rejects non-http/https
protocols; apply to actor.mitre_url, ref.url, intel.url.
Sanitize framework name to alphanumeric-only before DOM insertion.
Restrict evidence MIME types to an explicit safe allowlist (png/jpg/gif/webp).
Hardcoded credentials (CWE-798):
verify_gaps.py, create_wiki.py: replace literal passwords with
environment variable reads (AEGIS_ADMIN_PASSWORD, GITEA_PASSWORD).
- fix(auth): enforce API key scopes in require_role/require_any_role;
attach _api_key_scopes to user on API key auth; add require_scope()
dependency — scopes were stored but never enforced (CWE-285)
- fix(sso): read SECURE_COOKIES env var for SSO cookie instead of
hardcoded secure=False — SAML sessions now respect HTTPS config (CWE-614)
- fix(webhooks): SSRF prevention — validate webhook URLs against private
and reserved CIDRs at creation/update time (CWE-918)
- fix(knowledge): restrict playbook/lesson create, update and restore
to admin/red_lead/blue_lead roles — was open to any authenticated user (CWE-284)
- fix(alerts): restrict alert acknowledge/resolve/dismiss to admin/lead
roles — any user could silence security alerts (CWE-284)
- security: delete get_admin_creds.py, check_auth.py, deploy.py scripts
containing hardcoded root SSH credentials and production DB access;
add scripts/.gitignore to prevent reintroduction (CWE-798)
kitos