Skip to content

Security review (2026-05-18): SEC-16 transitive kysely vuln, fixed inline#167

Merged
pokle merged 1 commit into
masterfrom
claude/friendly-fermi-HswsF
May 23, 2026
Merged

Security review (2026-05-18): SEC-16 transitive kysely vuln, fixed inline#167
pokle merged 1 commit into
masterfrom
claude/friendly-fermi-HswsF

Conversation

@pokle
Copy link
Copy Markdown
Owner

@pokle pokle commented May 18, 2026

Summary

Whole-repo security review for the 2026-05-18 round, appended to docs/security-review.md.

  • New finding: SEC-16kysely@0.28.16 carried in transitively by better-auth (GHSA-pv5w-4p9q-p3v2, JSON-path traversal). Our direct kysely is already at 0.28.17, but the transitive copy bypassed it.
  • Fixed inline by adding "kysely": "^0.28.17" to the package.json overrides block. Post-fix the lockfile contains a single kysely@0.28.17 entry and bun audit reports 0 vulnerabilities.
  • Reachability: Low — the vulnerable code path (JSONPathBuilder.key() / .at()) is not used by our code or by better-auth's kysely-adapter (greps clean). The advisory's High CVSS still warrants the fix to keep bun audit clean as our weekly dependency-hygiene signal.
  • Closed prior scope gap Refactor from react to tailwindcss + basecoat #7 — walked every optionalAuth route under competition-api/src/routes/ (comp, task, igc, audit, score, pilot-status, pilot, user-files). Only SEC-15's pilot-list leak was real, and it remains fixed.
  • New surface audited: /api/user/* (8 routes), /api/u/:username/* (3 public-by-link reads), /api/auth/preferences (2 routes). All enforce auth via the SEC-10 service-binding pattern, bounded validation (Zod + regex), and parameterised SQL.

Prior findings status

All Critical/High findings remain Fixed:

  • SEC-01 (CORS), SEC-10 (auth bypass), SEC-11 (gzip-bomb), SEC-12 (xctsk shape), SEC-15 (pilot PII).

Still Open and small-diff (carried forward, none urgent):

  • SEC-02 (_headers file), SEC-03 (admin emails), SEC-05 (innerHTML pattern), SEC-06 (bodyLimit), SEC-08 (rate-limit headers), SEC-13 (sw.js filename sanitisation).

Test plan

  • bun audit — 0 vulnerabilities post-fix
  • bun run typecheck:all — green
  • bun run test:all — 251 competition-api + 21 mcp-api + engine tests passing
  • Single kysely@0.28.17 entry in bun.lock (verified grep "kysely@" bun.lock)
  • Live-deploy verification of SEC-15 fix still pending (scope gap, not regressed)

See the appended 2026-05-18 section in docs/security-review.md for the full round, including the optionalAuth audit table, status of every prior SEC-NN, and the carry-forward scope gaps.

https://claude.ai/code/session_01CSLsnj6nLR3sdeZoXhBTvd

Generated by Claude Code

@claude
Security review (2026-05-18): SEC-16 transitive kysely vuln, fixed in…
f3c890d 
…line

Whole-repo review for the 2026-05-18 round. Added SEC-16 for the kysely
JSON-path traversal CVE (GHSA-pv5w-4p9q-p3v2) carried in transitively by
better-auth via kysely@0.28.16; closed inline with a `kysely: ^0.28.17`
override so every transitive resolution snaps to the fixed version. The
vulnerable code path (JSONPathBuilder.key()/.at()) is not reachable from
our application code or from better-auth's kysely-adapter, so practical
risk is Low — but keeping `bun audit` clean is the dependency-hygiene
signal we rely on between rounds.

Also closed the prior round's last systematic scope gap by walking every
optionalAuth route under competition-api for PII columns — only SEC-15's
pilot-list leak was real and is still fixed. The new user-files and
preferences endpoints (PR #163, #165) audit clean: requireAuth on every
mutation, bounded validators (Zod + regex), parameterised SQL, and the
existing IGC size caps (validateAndDecompressIgc) carried over.

bun audit: 0 vulnerabilities post-fix. All tests pass.
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 18, 2026

Preview Deployment
https://6394627e.glidecomp.pages.dev
Commit: f3c890d

@pokle pokle marked this pull request as ready for review May 23, 2026 08:24
@pokle pokle merged commit 067c7ed into master May 23, 2026
8 checks passed
@pokle pokle deleted the claude/friendly-fermi-HswsF branch May 23, 2026 08:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pokle @claude