JWP Consulting GK

Projectify Development Log #2

Written on 2024-04-08

Here are some things that happened since last week’s update.

Rate limiting

A friendly security researcher pointed out a few issues, that I’ve since then fixed, as described in the following three sections.

Some API endpoints didn’t have any rate limiting on sensitive requests. This made them a potential target for abuse.

The solution was to use Django Ratelimit to add sensible defaults especially to API endpoints that send emails, as you can see in this pull request.

Now, the Projectify backend restricts, among other limitations, how many times users can request password resets.

Prevent Clickjacking

Projectify didn’t have any frame-embedding CSP (frame-ancestors) set, which could lead to Clickjacking.

Despite SvelteKit allowing setting a CSP in the svelte.config.js configuration file, it doesn’t let you use all possible CSP headers. This includes frame-ancestors as part of <meta http-equiv>, as described in the SvelteKit documentation:

When pages are prerendered, the CSP header is added via a tag (note that in this case, frame-ancestors, report-uri and sandbox directives will be ignored).

The solution was to instruct Netlify to return this CSP header instead in the netlify.toml configuration file, as can you can see in this pull request. The relevant part in the configuration file is:

# ...
[[headers]]
  for = "/*"
  [headers.values]
    Content-Security-Policy = "frame-ancestors 'none'"

Possible content injection via user preferred names

Projectify tries to respect user’s preferred names, and doesn’t place a lot of restrictions on what users can enter there. User’s preferred names are only visible inside of a trusted workspace environment and not to the general public.

A preferred name can show up in some emails, such as when someone invites a user to become a workspace team member. We only send plain text emails and there’s no risk of XSS injections in plain text email templates. Yet, we can’t control what an email client does with plain text emails when it renders them.

If a preferred name contains a domain name or is web address-like, some email clients automatically turn them into clickable links. We want to prevent users from linking to external resources where it could be misleading, especially in emails.

Out of caution, this pull request adds a filter for web address-like words in preferred names.

Other changes

I have also taken the time to fix a few smaller issues, such as the page header not rendering correctly after logging in under some circumstances.

Some outdated third-party dependencies are now up-to-date. Some auxiliary tooling used for the frontend is now located folders separate from the Projectify frontend. This curbs Dependabot false-positive dependency warnings. This especially applies to Storybook, which pulls in an extraordinary amount of third-party dependencies that aren’t used in the Projectify production frontend.