Security hardening from audit findings

- Add rate limiting (5 req/hr per IP) to vendor-request API
- Add input validation: type checks, length limits, URL validation
- Sanitize Markdown injection in GitHub Issue body
- Block wildcard CORS origin
- Validate severity values against allowlist (XSS prevention)
- Escape CVSS values in DOM rendering
- Deploy only static files to GitHub Pages (hide scripts, api, config)
- Add Dependabot for npm and GitHub Actions dependencies
- Sanitize error messages in public-facing fetch logs
- Add SRI hash to Umami analytics script

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: Toreburn

.github/dependabot.yml

@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/deploy.yml

@@ -5,13 +5,11 @@ on:
     branches: [ "master" ]
   workflow_dispatch:
 
-# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
 permissions:
   contents: read
   pages: write
   id-token: write
 
-# Allow only one concurrent deployment
 concurrency:
   group: "pages"
   cancel-in-progress: false
@@ -25,15 +23,23 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-      
+
+      - name: Prepare site directory
+        run: |
+          mkdir -p _site/data
+          cp index.html script.js styles.css favicon.ico _site/
+          cp CNAME robots.txt sitemap.xml _site/ 2>/dev/null || true
+          cp -r data/ _site/data/ 2>/dev/null || true
+          cp logs.html logs.js _site/ 2>/dev/null || true
+
       - name: Setup Pages
         uses: actions/configure-pages@v4
-        
+
       - name: Upload artifact
         uses: actions/upload-pages-artifact@v3
         with:
-          path: '.'
-          
+          path: '_site'
+
       - name: Deploy to GitHub Pages
         id: deployment
         uses: actions/deploy-pages@v4

.github/workflows/fetch-all-patches.yml

@@ -159,13 +159,21 @@ jobs:
           git add data/
           git diff --staged --quiet || (git commit -m "Update patch data $(date -u +%Y-%m-%d)" && git push)
 
+      - name: Prepare site directory
+        run: |
+          mkdir -p _site/data
+          cp index.html script.js styles.css favicon.ico _site/
+          cp CNAME robots.txt sitemap.xml _site/ 2>/dev/null || true
+          cp -r data/ _site/data/ 2>/dev/null || true
+          cp logs.html logs.js _site/ 2>/dev/null || true
+
       - name: Setup Pages
         uses: actions/configure-pages@v4
 
       - name: Upload Pages artifact
         uses: actions/upload-pages-artifact@v3
         with:
-          path: '.'
+          path: '_site'
 
       - name: Deploy to GitHub Pages
         id: deployment

.github/workflows/update-patches.yml

@@ -43,13 +43,21 @@ jobs:
           git add data/patches.json data/vendors/*.json
           git diff --staged --quiet || (git commit -m "Update patch data [skip ci]" && git push)
 
+      - name: Prepare site directory
+        run: |
+          mkdir -p _site/data
+          cp index.html script.js styles.css favicon.ico _site/
+          cp CNAME robots.txt sitemap.xml _site/ 2>/dev/null || true
+          cp -r data/ _site/data/ 2>/dev/null || true
+          cp logs.html logs.js _site/ 2>/dev/null || true
+
       - name: Setup Pages
         uses: actions/configure-pages@v4
 
       - name: Upload artifact
         uses: actions/upload-pages-artifact@v3
         with:
-          path: '.'
+          path: '_site'
 
       - name: Deploy to GitHub Pages
         id: deployment

api/vendor-request.js

@@ -1,6 +1,40 @@
+// Simple in-memory rate limiter (resets on cold start)
+const rateLimit = new Map();
+const RATE_WINDOW_MS = 3600000; // 1 hour
+const RATE_MAX = 5; // max requests per IP per window
+
+function checkRateLimit(ip) {
+    const now = Date.now();
+    const entry = rateLimit.get(ip);
+    if (!entry || now > entry.resetAt) {
+        rateLimit.set(ip, { count: 1, resetAt: now + RATE_WINDOW_MS });
+        return true;
+    }
+    entry.count++;
+    return entry.count <= RATE_MAX;
+}
+
+function sanitizeMarkdown(str) {
+    return str.replace(/[[\]()@#*`~>!|\\]/g, '');
+}
+
+function validateUrl(str) {
+    try {
+        const parsed = new URL(str);
+        return ['http:', 'https:'].includes(parsed.protocol);
+    } catch {
+        return false;
+    }
+}
+
 export default async function handler(req, res) {
     const allowedOrigin = process.env.ALLOWED_ORIGIN || '';
 
+    if (allowedOrigin === '*') {
+        console.error('ALLOWED_ORIGIN must not be wildcard');
+        return res.status(500).json({ error: 'Server misconfiguration' });
+    }
+
     // CORS headers
     res.setHeader('Access-Control-Allow-Origin', allowedOrigin);
     res.setHeader('Access-Control-Allow-Methods', 'POST, OPTIONS');
@@ -14,31 +48,66 @@ export default async function handler(req, res) {
         return res.status(405).json({ error: 'Method not allowed' });
     }
 
+    // Rate limit by IP
+    const forwarded = req.headers['x-forwarded-for'];
+    const ip = forwarded ? forwarded.split(',')[0].trim() : 'unknown';
+    if (!checkRateLimit(ip)) {
+        return res.status(429).json({ error: 'Too many requests. Try again later.' });
+    }
+
     const { vendorName, feedUrl, notes } = req.body || {};
 
+    // Type validation
     if (!vendorName || typeof vendorName !== 'string' || !vendorName.trim()) {
         return res.status(400).json({ error: 'Vendor name is required' });
     }
+    if (feedUrl !== undefined && feedUrl !== null && typeof feedUrl !== 'string') {
+        return res.status(400).json({ error: 'Invalid feed URL' });
+    }
+    if (notes !== undefined && notes !== null && typeof notes !== 'string') {
+        return res.status(400).json({ error: 'Invalid notes' });
+    }
+
+    // Length validation
+    if (vendorName.trim().length > 200) {
+        return res.status(400).json({ error: 'Vendor name too long' });
+    }
+    if (feedUrl && feedUrl.trim().length > 2000) {
+        return res.status(400).json({ error: 'Feed URL too long' });
+    }
+    if (notes && notes.trim().length > 5000) {
+        return res.status(400).json({ error: 'Notes too long' });
+    }
+
+    // URL validation
+    if (feedUrl && feedUrl.trim() && !validateUrl(feedUrl.trim())) {
+        return res.status(400).json({ error: 'Invalid URL format or protocol' });
+    }
 
     const ghToken = process.env.GITHUB_TOKEN;
     if (!ghToken) {
         console.error('GITHUB_TOKEN not configured');
         return res.status(500).json({ error: 'Server configuration error' });
     }
 
+    // Sanitize inputs for Markdown injection
+    const safeName = sanitizeMarkdown(vendorName.trim());
+    const safeUrl = feedUrl ? sanitizeMarkdown(feedUrl.trim()) : '';
+    const safeNotes = notes ? sanitizeMarkdown(notes.trim()) : '';
+
     // Build issue body
     const bodyLines = [
         '## Vendor Request',
         '',
-        `**Vendor Name:** ${vendorName.trim()}`,
+        `**Vendor Name:** ${safeName}`,
     ];
 
-    if (feedUrl && feedUrl.trim()) {
-        bodyLines.push(`**Security Feed URL:** ${feedUrl.trim()}`);
+    if (safeUrl) {
+        bodyLines.push(`**Security Feed URL:** ${safeUrl}`);
     }
 
-    if (notes && notes.trim()) {
-        bodyLines.push('', `**Notes:** ${notes.trim()}`);
+    if (safeNotes) {
+        bodyLines.push('', `**Notes:** ${safeNotes}`);
     }
 
     try {
@@ -51,7 +120,7 @@ export default async function handler(req, res) {
                 'X-GitHub-Api-Version': '2022-11-28',
             },
             body: JSON.stringify({
-                title: `Vendor Request: ${vendorName.trim()}`,
+                title: `Vendor Request: ${safeName.substring(0, 100)}`,
                 body: bodyLines.join('\n'),
                 labels: ['vendor-request'],
             }),

index.html

@@ -37,7 +37,7 @@
     }
     </script>
     <!-- Umami Analytics (privacy-friendly, cookie-free) -->
-    <script defer src="https://cloud.umami.is/script.js" data-website-id="45f6e89a-17db-42d4-9d7f-4231d66dc2ca"></script>
+    <script defer src="https://cloud.umami.is/script.js" data-website-id="45f6e89a-17db-42d4-9d7f-4231d66dc2ca" integrity="sha384-njZ5sCqL2nQlDz+tuOzt4BOOdB4zc8UVx7AiE6EGDrjYZPfNHel8zAmY2ESoQilv" crossorigin="anonymous"></script>
 </head>
 <body>
     <div class="app">

script.js

@@ -282,6 +282,8 @@ document.addEventListener('DOMContentLoaded', () => {
     }
 
     // ── Rendering ──
+    const VALID_SEVERITIES = ['critical', 'high', 'medium', 'low', 'unknown', 'important'];
+
     function displayPatches(list) {
         if (!list.length) {
             patchFeed.innerHTML = '<div class="no-results">No patches match your filters</div>';
@@ -291,7 +293,8 @@ document.addEventListener('DOMContentLoaded', () => {
         list.sort((a, b) => new Date(b.date) - new Date(a.date));
 
         patchFeed.innerHTML = list.map(p => {
-            const sev = (p.severity || 'unknown').toLowerCase();
+            const rawSev = (p.severity || '').toLowerCase();
+            const sev = VALID_SEVERITIES.includes(rawSev) ? rawSev : 'unknown';
             let displaySev = sev.charAt(0).toUpperCase() + sev.slice(1);
             if (displaySev === 'Unknown') displaySev = 'Bug Fix';
 
@@ -300,6 +303,7 @@ document.addEventListener('DOMContentLoaded', () => {
             const comp = escapeHtml(p.component || '');
             const vendor = escapeHtml((p.vendor || '').toUpperCase());
             const cvss = p.cvss || p.cvssScore || null;
+            const safeCvss = cvss ? escapeHtml(String(cvss)) : null;
             const cve = escapeHtml(p.cve || '');
 
             return `<div class="patch-card severity-${sev}">
@@ -311,7 +315,7 @@ document.addEventListener('DOMContentLoaded', () => {
                 <div class="patch-meta">
                     <span class="tag tag-vendor">${vendor}</span>
                     <span class="tag tag-severity-${sev}">${displaySev}</span>
-                    ${cvss ? `<span class="tag tag-cvss" title="CVSS Base Score">CVSS ${cvss}</span>` : ''}
+                    ${safeCvss ? `<span class="tag tag-cvss" title="CVSS Base Score">CVSS ${safeCvss}</span>` : ''}
                     ${cve ? `<span class="tag tag-cve">${cve}</span>` : ''}
                     ${comp ? `<span class="tag">${comp}</span>` : ''}
                 </div>

scripts/fetch-patches.js

@@ -71,7 +71,8 @@ async function fetchPatches() {
                         logs.push(`[INFO] No new patches for ${vendorData.vendor} in the last week`);
                     }
                 } catch (error) {
-                    logs.push(`[ERROR] Failed to process ${file}: ${error.message}`);
+                    console.error(`Full error for ${file}:`, error);
+                    logs.push(`[ERROR] ${file} - fetch failed`);
                 }
             }
         }
@@ -113,7 +114,8 @@ async function fetchPatches() {
 
         logs.push(`[SUCCESS] Updated patches.json with ${allPatches.length} total patches (${newPatchCount} new)`);
     } catch (error) {
-        logs.push(`[ERROR] Failed to fetch patches: ${error.message}`);
+        console.error('Failed to fetch patches:', error);
+        logs.push(`[ERROR] Patch aggregation failed`);
     }
 
     return logs;