pplate/cannamanage
1
0
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): suppress CSRF false positive + upgrade next 15.5.19 + dep overrides
Deploy to TrueNAS / deploy (push) Failing after 4m7s
Details

Browse Source 
- Add .snyk policy file to suppress CSRF disabled false positive on JWT API chain
- Add inline documentation explaining why CSRF is intentionally disabled for stateless JWT
- Upgrade next.js 15.5.18 → 15.5.19 (latest stable 15.x patch)
- Upgrade eslint-config-next to match
- Add pnpm overrides for transitive CVEs: minimatch>=5.1.6, brace-expansion>=2.0.1, ajv>=8.17.1
This commit is contained in:
Patrick Plate
2026-06-19 09:09:40 +02:00
parent 970f8eb295
commit 6aae17edba
4 changed files with 88 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files
cannamanage-api/src/main/java/de/cannamanage/api/security/SecurityConfig.java
+7
View File
@@ -54,6 +54,13 @@ public class SecurityConfig {
http
.securityMatcher("/api/**")
.cors(cors -> cors.configurationSource(corsConfigurationSource()))
// snyk:ignore java/CsrfProtectionDisabled — Intentional: this filter chain
// handles stateless JWT-authenticated API calls only. CSRF attacks exploit
// browser-managed session cookies; Bearer token auth is immune because the
// token is never sent automatically by the browser. OWASP CSRF Prevention
// Cheat Sheet: "If your application does not use cookies for authentication,
// CSRF is not a risk." The portal chain (Order 2) correctly enables CSRF via
// CookieCsrfTokenRepository for its session-based auth.
.csrf(csrf -> csrf.disable())
.sessionManagement(session -> session
.sessionCreationPolicy(SessionCreationPolicy.STATELESS))