Skip to content

fix: Security audit — fix critical vulnerabilities in API specification#3

Open
devin-ai-integration[bot] wants to merge 1 commit into
mainfrom
devin/1782936954-security-fixes
Open

fix: Security audit — fix critical vulnerabilities in API specification#3
devin-ai-integration[bot] wants to merge 1 commit into
mainfrom
devin/1782936954-security-fixes

Conversation

@devin-ai-integration

Copy link
Copy Markdown

Summary

The repo contained only an OpenAPI spec (misplaced in README.md) for "BankWeb API" with 12 security vulnerabilities across critical/high/medium severity. Key fixes:

Critical:

  • Added components.securitySchemes.BearerAuth (JWT) — spec had zero auth mechanism defined
  • Split monolithic UserModel (which included password) into LoginRequest/LoginResponse/RegisterRequest etc. — password was returned in Login response
  • Added security: [{BearerAuth: []}] + 401 to /api/User/GetAvailableFunds, /api/User/ProfileImage, /api/PortalSearch/Index — these were completely unauthenticated

High:

  • Removed IDOR-susceptible ?username=/?user= query params from own-data endpoints (GetHistory, GetTransactionHistory, GetAvailableFunds, ProfileImage) — user must be derived from JWT token server-side
  • Added minLength/maxLength/minimum/maximum/pattern to all request fields — previously unbounded, enabling injection and DoS
  • Removed price from BuyProductReq — client could set arbitrary purchase price

Medium:

  • Changed /api/Auth/Logout from GET → POST (CSRF via <img> tag)
  • Added 429 responses to auth endpoints (brute-force protection)
  • Fixed user enumeration in /api/Auth/PasswordRecovery (always 200)

Also: moved spec from README.md → openapi.json, added proper README.md and SECURITY.md documenting all findings + server-side implementation recommendations (CORS, SQLi prevention, password hashing, token management).

Link to Devin session: https://app.devin.ai/sessions/367c97de0e044f39bf3c245d89441087
Requested by: @wsh92

- Add JWT Bearer authentication scheme (was completely missing)
- Split UserModel into separate request/response schemas to prevent
  password leakage in API responses
- Add authentication requirements to all sensitive endpoints
  (GetAvailableFunds, ProfileImage, PortalSearch)
- Remove IDOR-susceptible user query params from own-data endpoints
- Add input validation constraints (minLength, maxLength, minimum,
  maximum, pattern) to all request fields
- Remove client-controlled price from BuyProductReq
- Change Logout from GET to POST (CSRF prevention)
- Add 429 rate limiting responses to auth endpoints
- Fix user enumeration in PasswordRecovery
- Add 403 Forbidden responses to admin endpoints
- Move OpenAPI spec from README.md to openapi.json
- Add SECURITY.md documenting all findings and fixes

Co-Authored-By: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
@wsh92 wsh92 self-assigned this Jul 1, 2026
@devin-ai-integration

Copy link
Copy Markdown
Author

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment, CI, and merge conflict monitoring

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant