Epic: Security Hardening #104
Description
Overview
Harden security across the framework: fix critical vulnerabilities, improve authentication, and prevent information leakage.
Phase 1 — Critical
- security(trees): fix race condition in PlantTreeWithTFTF job #77 — security(trees): fix race condition in PlantTreeWithTFTF job
- security(auth): replace LthnHash with bcrypt for password hashing #78 — security(auth): replace LthnHash with bcrypt for password hashing
Phase 2 — High
- security(helpers): fix SSRF in File.php via unvalidated Http::get #79 — security(helpers): fix SSRF in File.php via unvalidated Http::get
- security(tests): remove hardcoded API token from test file #82 — security(tests): remove hardcoded API token from test file
- security(api): prevent upstream body leakage in BuildsResponse #84 — security(api): prevent upstream body leakage in BuildsResponse
- security(auth): add session configuration file #85 — security(auth): add session configuration file
Previously Created (existing)
- Security: SafeWebhookUrl DNS rebinding vulnerability #17
- Security: ManagesTokens trait stores tokens in memory without protection #18
- Security: HadesEncrypt embeds hardcoded public key #21
- Configuration: ConfigValue encryption may cause issues during APP_KEY rotation #25
Exit Criteria
All child issues closed. No critical or high security findings remain open.