Critical Security Vulnerabilities Identified #12
Description
Security Audit Findings
This issue documents critical security vulnerabilities identified in the codebase that require immediate attention.
Critical Vulnerabilities
1. Exposed API Key in Frontend Code
Location: views/index.ejs (lines 191-192)
var apiKey = "992ef3d60d434f2283ea8c6d70a4898d";
var url = `https://api.geoapify.com/v1/geocode/autocomplete?text=${encodeURIComponent(currentValue)}&limit=5&apiKey=${apiKey}`;Risk: The GeoApify API key is hardcoded directly in client-side JavaScript, exposing it to anyone who views the page source. This could lead to API abuse and billing issues.
Recommendation: Move API requests to the server-side by creating a backend endpoint that proxies requests to GeoApify, keeping the API key secure on the server.
2. Exposed User Data in API Endpoint
Location: routes/apiRoutes.js (lines 574-589)
router.get("/users", homeLimiter, getToken, authenticateToken, async (req, res) => {
let users;
try {
users = await User.find({});
} catch (err) {
console.error("Error getting users: " + err);
res.status(500).send("Error getting users");
return;
}
res.json(users);
});Risk: This endpoint returns all user data without filtering sensitive information, exposing personal data to any authenticated user.
Recommendation: Implement data filtering to only return necessary fields and restrict access to authorized roles.
3. XSS Vulnerabilities in Templates
Location: Various EJS templates including index.ejs
Risk: User-controlled data from the database is directly inserted into HTML without sanitization, creating cross-site scripting vulnerabilities.
Recommendation: Use proper EJS escaping and client-side encoding for all dynamic data.
Additional Security Issues
-
NoSQL Injection Vulnerabilities
- Direct user input used in MongoDB queries without proper validation
- Fix: Use parameterized queries and validate all user inputs
-
Authentication & Authorization Issues
- Inconsistent token validation
- Missing role-based access controls
- JWT implementation lacks proper expiration validation
- Cookie-based authentication lacks Secure and SameSite flags
-
Other Security Issues
- Improper error handling exposing implementation details
- Outdated dependencies with known vulnerabilities
- Missing input validation across multiple routes
- Lack of Content Security Policy headers
Recommended Actions
- Implement an immediate fix for the exposed API key
- Add proper data filtering to all API endpoints
- Update EJS templates to properly escape user-provided content
- Implement comprehensive input validation
- Update authentication mechanism with proper security controls
- Add proper error handling that doesn't expose sensitive information
- Update outdated dependencies
Priority: High
Severity: Critical
🤖 Generated with Claude Code