dannymcc/may v0.4.0

v0.4.0 - Security Hardening

on GitHub

Security Hardening Release

This release addresses multiple security vulnerabilities identified during a security audit.

Critical Fixes

• CSRF Protection: All forms now protected with CSRF tokens (auto-injected via JavaScript)
• Open Redirect: Login redirect now validates URLs to prevent phishing
• Debug Mode: Disabled by default, requires FLASK_DEBUG=true to enable
• Secret Key: No longer has insecure default; generates random key with warning if not set

High Priority Fixes

• Default Admin Password: Now randomly generated on first run (displayed in console)
• SSRF Prevention: Webhook URLs validated to block internal/private addresses
• Admin Authorization: Consistent @admin_required decorator on all admin routes

Medium Priority Fixes

• Password Strength: Registration and password changes require 8+ characters with uppercase, lowercase, and digit
• File Upload Validation: Checks magic bytes, not just extension
• Numeric Validation: Fuel log inputs validated for reasonable ranges
• Security Headers: Added X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Referrer-Policy

New Security Module

• Added app/security.py with reusable security utilities

Deployment Notes

• Set SECRET_KEY environment variable for production
• Set ADMIN_PASSWORD environment variable or note the randomly generated password on first run
• Existing users should review webhook URLs for any internal addresses

Full Changelog: v0.3.5...v0.4.0