Add comprehensive security review report (2026-03-31) by oumafreddy · Pull Request #11 · oumafreddy/oreno

oumafreddy · 2026-03-31T18:39:29Z

Provide a repository-level, attack-surface oriented security audit summarizing risks, evidence, and prioritized remediation for the project based on a static review.

Add SECURITY_REVIEW_2026-03-31.txt which contains an executive summary, detailed findings across Web/API/SSRF/CSP/CI surfaces, and a prioritized 30/60/90 day remediation plan.
Highlight high-priority issues including unauthenticated AI endpoints (AIAssistantAPIView / AIAssistantAsyncAPIView), organization middleware /api/ exemption, SSRF-capable webhook egress (webhook_service.py), permissive CSP usage, and unpinned GitHub Actions.
Provide concrete recommendations and verification tests, including fixes for AgentExecutor object scoping, webhook URL validation (HTTPS and private-range blocking), cookie hardening, CSP consolidation, and enforcing action pinning and security scanners in CI.

No automated tests were run for this change because it is a documentation-only addition and does not modify executable code.
As follow-up, run the repository CI and the supplied verification tests (for example anonymous POST to /api/ai/ask/, cross-org object mutation attempts, and webhook URL validation checks) to validate remediation steps.

Expand security review with cookie security and privacy guidance

fb7cd1d

oumafreddy added the codex label Mar 31, 2026 — with ChatGPT Codex Connector

oumafreddy added 2 commits March 31, 2026 21:50

Fix false-positive attack detection on business text inputs

c5e3e55

Use CSRF cookie for HTMX headers and remove token meta tag

60985fc

Provide feedback