kitos
dcd4bebc92
Aegis CI / lint-and-test (push) Has been cancelled
Snyk Security Scan / Python vulnerabilities (backend) (push) Has been cancelled
Snyk Security Scan / npm vulnerabilities (frontend) (push) Has been cancelled
Snyk Security Scan / Docker image vulnerabilities (backend) (push) Has been cancelled
Tar Slip (CWE-22) — 3 import services: threat_actor, lolbas, caldera: add path validation before extractall() to prevent malicious zip members with ../ escaping the target directory. (sigma, elastic, atomic already had this protection) Path Traversal (CWE-23) — professional_reports.py: Add _assert_safe_report_path() check on all 5 report endpoints to verify the generated filepath stays within REPORT_OUTPUT_DIR. Open Redirect (CWE-601) — sso.py: Validate IdP redirect URL scheme (must be http/https) before issuing RedirectResponse, blocking javascript: and data: redirects. DOM XSS (CWE-79) — 4 frontend pages: Create src/utils/url.ts with safeUrl() that rejects non-http/https protocols; apply to actor.mitre_url, ref.url, intel.url. Sanitize framework name to alphanumeric-only before DOM insertion. Restrict evidence MIME types to an explicit safe allowlist (png/jpg/gif/webp). Hardcoded credentials (CWE-798): verify_gaps.py, create_wiki.py: replace literal passwords with environment variable reads (AEGIS_ADMIN_PASSWORD, GITEA_PASSWORD).