Hacker-Software
/
opencrm
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
opencrm/backend/src/routes
History
duffyduck 12b9abe979 Security-Hardening Runde 7: SSRF-Schutz + Logout-Endpoint 
🛡 SSRF-Schutz in test-connection / test-mail-access
- Admin-User konnte über apiUrl bzw. SMTP/IMAP-Server-Felder
  Connections zu Cloud-Metadata-Endpoints (169.254.169.254,
  metadata.google.internal etc.) auslösen. Internal-Port-Scan
  über Timing-Differenzen war messbar.
- Fix: neuer utils/ssrfGuard.ts blockiert pre-flight 169.254.0.0/16,
  0.0.0.0/8, Multicast/Reserved-Ranges, AWS-IPv6-Metadata,
  IPv6-Link-Local und Cloud-Metadata-Hostnames.
  Loopback (127.0.0.0/8) bleibt erlaubt – legitime Plesk/Postfix-
  Setups sollen weiter funktionieren.

🔒 Logout-Endpoint POST /api/auth/logout
- Setzt tokenInvalidatedAt / portalTokenInvalidatedAt auf jetzt.
  Auth-Middleware prüft das Feld bereits und lehnt Tokens mit
  iat davor ab. Ohne diesen Endpoint blieb ein "abgemeldeter"
  JWT bis Expiry (7d) gültig.

Live-verifiziert:
- 169.254.169.254 / metadata.google.internal / 0.0.0.0 → 400
- 127.0.0.1 (Plesk-Fall) weiter erlaubt
- /me vor Logout 200, nach Logout 401 "Sitzung ungültig"

Geprüft + sauber (Runde 7, kein Bug):
- Public Consent (122-bit Random-UUID nicht brute-force-bar)
- Magic-Bytes-Bypass beim Upload
- PDF manualValues Injection (keine HTML-Render-Surface)
- Query-Filter-Override (?customerId=X) – vom Portal-Filter ignoriert
- Audit-Logs / Email-Config / Backup-Endpoints als Portal: 403

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 		2026-05-01 07:47:26 +02:00
..
address.routes.ts first commit 2026-01-29 01:16:54 +01:00
appSetting.routes.ts added backup and email client 2026-02-01 00:02:35 +01:00
auditLog.routes.ts complete new audit system 2026-03-21 18:23:54 +01:00
auth.routes.ts Security-Hardening Runde 7: SSRF-Schutz + Logout-Endpoint 2026-05-01 07:47:26 +02:00
bankcard.routes.ts first commit 2026-01-29 01:16:54 +01:00
birthday.routes.ts Geburtstag-Management-Modal mit Reset + Send + Auto-Flag 2026-04-23 12:46:03 +02:00
cachedEmail.routes.ts Email-Anhänge als Vertragsdokumente + Rechnungen für alle Vertragstypen 2026-04-23 13:06:10 +02:00
cancellation-period.routes.ts first commit 2026-01-29 01:16:54 +01:00
consent-public.routes.ts gdpr audit implemented, email log, vollmachten, pdf delete cancel data privacy and vollmachten, removed message no id card in engergy car, and other contracts that are not telecom contracts, added insert counter for engery 2026-03-21 11:59:53 +01:00
contract-duration.routes.ts first commit 2026-01-29 01:16:54 +01:00
contract.routes.ts added place to telecommunication, added contract documents, added invoice to other contracts 2026-03-25 16:55:48 +01:00
contractCategory.routes.ts added backup and email client 2026-02-01 00:02:35 +01:00
contractHistory.routes.ts added contract history 2026-02-08 19:24:37 +01:00
contractTask.routes.ts first commit 2026-01-29 01:16:54 +01:00
customer.routes.ts first commit 2026-01-29 01:16:54 +01:00
developer.routes.ts complete new audit system 2026-03-21 18:23:54 +01:00
document.routes.ts first commit 2026-01-29 01:16:54 +01:00
emailLog.routes.ts gdpr audit implemented, email log, vollmachten, pdf delete cancel data privacy and vollmachten, removed message no id card in engergy car, and other contracts that are not telecom contracts, added insert counter for engery 2026-03-21 11:59:53 +01:00
emailProvider.routes.ts Mandantenfähigkeit: Domain + Kunden-E-Mail-Label dynamisch pro Provider 2026-04-23 15:43:19 +02:00
factoryDefaults.routes.ts Factory-Defaults: Export + Import von Stammdaten-Katalogen 2026-04-23 14:10:12 +02:00
gdpr.routes.ts impressum datenschutz added 2026-03-25 15:25:34 +01:00
invoice.routes.ts added invoices and status in cockpit, created info button for contract status types 2026-02-08 01:18:12 +01:00
meter.routes.ts gdpr audit implemented, email log, vollmachten, pdf delete cancel data privacy and vollmachten, removed message no id card in engergy car, and other contracts that are not telecom contracts, added insert counter for engery 2026-03-21 11:59:53 +01:00
pdfTemplate.routes.ts PDF-Auftragsvorlagen-System, Objekttyp/Lage-Felder, Eigentümer-Fallback bei Bankverbindung 2026-04-05 19:16:47 +02:00
platform.routes.ts first commit 2026-01-29 01:16:54 +01:00
provider.routes.ts Security-Hardening Runde 3: JWT, trust-proxy, weitere IDORs, Attachment-Härtung 2026-04-24 09:38:25 +02:00
stressfreiEmail.routes.ts added backup and email client 2026-02-01 00:02:35 +01:00
tariff.routes.ts Security-Hardening Runde 3: JWT, trust-proxy, weitere IDORs, Attachment-Härtung 2026-04-24 09:38:25 +02:00
upload.routes.ts Security-Hardening Runde 5: Hack-Das-Ding (DSGVO-GAU + Timing + XSS) 2026-04-25 00:21:37 +02:00
user.routes.ts first commit 2026-01-29 01:16:54 +01:00