Fix CodeQL security vulnerabilities in CORS, JWT, logging, and GitHub Actions (#53)

Copilot · PhantomDave · web-flow · commit e72a7addcc8d · 2025-11-15T00:31:18.000+01:00
* Initial plan

* Fix critical security issues in CORS and JWT configuration

Co-authored-by: PhantomDave &lt;34485699+PhantomDave@users.noreply.github.com&gt;

* Fix potential token exposure in GitHub Actions workflow

Co-authored-by: PhantomDave &lt;34485699+PhantomDave@users.noreply.github.com&gt;

---------

Co-authored-by: copilot-swe-agent[bot] &lt;198982749+Copilot@users.noreply.github.com&gt;
Co-authored-by: PhantomDave &lt;34485699+PhantomDave@users.noreply.github.com&gt;
diff --git a/.github/workflows/deploy-tailscale.yml b/.github/workflows/deploy-tailscale.yml
@@ -120,8 +120,8 @@ jobs:
 
       - name: Log in to GitHub Container Registry
         run: |
-          tailscale ssh "${{ steps.ssh.outputs.target }}" \
-            "echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u ${{ github.actor }} --password-stdin"
+          echo "${{ secrets.GITHUB_TOKEN }}" | tailscale ssh "${{ steps.ssh.outputs.target }}" \
+            "docker login ghcr.io -u ${{ github.actor }} --password-stdin"
 
       - name: Clean up old Docker images
         run: |
diff --git a/PhantomDave.BankTracking.Api/Program.cs b/PhantomDave.BankTracking.Api/Program.cs
@@ -58,7 +58,9 @@ public static void Main(string[] args)
             })
             .AddJwtBearer(options =>
             {
-                options.RequireHttpsMetadata = false; // enable HTTPS in production
+                // WARNING: RequireHttpsMetadata should be true in production environments
+                // Set to false only for local development
+                options.RequireHttpsMetadata = builder.Environment.IsDevelopment() == false;
                 options.SaveToken = true;
                 options.TokenValidationParameters = new TokenValidationParameters
                 {
@@ -79,7 +81,7 @@ public static void Main(string[] args)
         {
             options.AddDefaultPolicy(policy =>
                 policy
-                    .WithOrigins("http://localhost:4200", "http://localhost:5095/graphql", "*")
+                    .WithOrigins("http://localhost:4200", "http://localhost:5095")
                     .AllowAnyHeader()
                     .AllowAnyMethod()
                     .AllowCredentials());
diff --git a/PhantomDave.BankTracking.Api/Services/FileImportService.cs b/PhantomDave.BankTracking.Api/Services/FileImportService.cs
@@ -2,6 +2,7 @@
 using System.Text;
 using CsvHelper;
 using CsvHelper.Configuration;
+using Microsoft.Extensions.Logging;
 using OfficeOpenXml;
 using PhantomDave.BankTracking.Api.Types.ObjectTypes;
 using PhantomDave.BankTracking.Library.Models;
@@ -24,8 +25,10 @@ public class ParsedFileData
     public FileType FileTypeExt { get; set; } = FileType.Xlsx;
     public int HeaderRowIndex { get; set; } = 1;
 }
-public class FileImportService
+public class FileImportService(ILogger<FileImportService> logger)
 {
+    private readonly ILogger<FileImportService> _logger = logger;
+
     public async Task<ParsedFileData> ParseFileAsync(IFile file)
     {
         await using var reader = file.OpenReadStream();
@@ -239,8 +242,9 @@ private static Encoding DetectEncoding(Stream stream)
             Encoding.UTF8.GetString(buffer, 0, bytesRead);
             return Encoding.UTF8;
         }
-        catch
+        catch (DecoderFallbackException)
         {
+            // If UTF-8 decoding fails, fall back to ISO-8859-1
             return Encoding.GetEncoding("ISO-8859-1");
         }
     }
@@ -283,11 +287,13 @@ public IEnumerable<FinanceRecord> FromParsedData(int accountId, ParsedFileData p
 
                 records.Add(record);
             }
-            catch
+            catch (Exception ex)
             {
                 failedCount++;
+                _logger.LogWarning(ex, "Failed to parse row {RowIndex} during import", records.Count + failedCount);
             }
-            Console.WriteLine($"Processed {records.Count + failedCount} / {parsedData.Rows.Count}, Failed: {failedCount}");
+            _logger.LogDebug("Processed {ProcessedRows} / {TotalRows}, Failed: {FailedRows}", 
+                records.Count + failedCount, parsedData.Rows.Count, failedCount);
         }
 
         return records;

Original file line number	Diff line number	Diff line change
`@@ -58,7 +58,9 @@ public static void Main(string[] args)`
`58`	`58`	`})`
`59`	`59`	`.AddJwtBearer(options =>`
`60`	`60`	`{`
`61`		`- options.RequireHttpsMetadata = false; // enable HTTPS in production`
	`61`	`+ // WARNING: RequireHttpsMetadata should be true in production environments`
	`62`	`+ // Set to false only for local development`
	`63`	`+ options.RequireHttpsMetadata = builder.Environment.IsDevelopment() == false;`
`62`	`64`	`options.SaveToken = true;`
`63`	`65`	`options.TokenValidationParameters = new TokenValidationParameters`
`64`	`66`	`{`
`@@ -79,7 +81,7 @@ public static void Main(string[] args)`
`79`	`81`	`{`
`80`	`82`	`options.AddDefaultPolicy(policy =>`
`81`	`83`	`policy`
`82`		`- .WithOrigins("http://localhost:4200", "http://localhost:5095/graphql", "*")`
	`84`	`+ .WithOrigins("http://localhost:4200", "http://localhost:5095")`
`83`	`85`	`.AllowAnyHeader()`
`84`	`86`	`.AllowAnyMethod()`
`85`	`87`	`.AllowCredentials());`
Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,7 @@`
`2`	`2`	`using System.Text;`
`3`	`3`	`using CsvHelper;`
`4`	`4`	`using CsvHelper.Configuration;`
	`5`	`+using Microsoft.Extensions.Logging;`
`5`	`6`	`using OfficeOpenXml;`
`6`	`7`	`using PhantomDave.BankTracking.Api.Types.ObjectTypes;`
`7`	`8`	`using PhantomDave.BankTracking.Library.Models;`
`@@ -24,8 +25,10 @@ public class ParsedFileData`
`24`	`25`	`public FileType FileTypeExt { get; set; } = FileType.Xlsx;`
`25`	`26`	`public int HeaderRowIndex { get; set; } = 1;`
`26`	`27`	`}`
`27`		`-public class FileImportService`
	`28`	`+public class FileImportService(ILogger<FileImportService> logger)`
`28`	`29`	`{`
	`30`	`+ private readonly ILogger<FileImportService> _logger = logger;`
	`31`	`+`
`29`	`32`	`public async Task<ParsedFileData> ParseFileAsync(IFile file)`
`30`	`33`	`{`
`31`	`34`	`await using var reader = file.OpenReadStream();`
`@@ -239,8 +242,9 @@ private static Encoding DetectEncoding(Stream stream)`
`239`	`242`	`Encoding.UTF8.GetString(buffer, 0, bytesRead);`
`240`	`243`	`return Encoding.UTF8;`
`241`	`244`	`}`
`242`		`- catch`
	`245`	`+ catch (DecoderFallbackException)`
`243`	`246`	`{`
	`247`	`+ // If UTF-8 decoding fails, fall back to ISO-8859-1`
`244`	`248`	`return Encoding.GetEncoding("ISO-8859-1");`
`245`	`249`	`}`
`246`	`250`	`}`
`@@ -283,11 +287,13 @@ public IEnumerable<FinanceRecord> FromParsedData(int accountId, ParsedFileData p`
`283`	`287`
`284`	`288`	`records.Add(record);`
`285`	`289`	`}`
`286`		`- catch`
	`290`	`+ catch (Exception ex)`
`287`	`291`	`{`
`288`	`292`	`failedCount++;`
	`293`	`+ _logger.LogWarning(ex, "Failed to parse row {RowIndex} during import", records.Count + failedCount);`
`289`	`294`	`}`
`290`		`- Console.WriteLine($"Processed {records.Count + failedCount} / {parsedData.Rows.Count}, Failed: {failedCount}");`
	`295`	`+ _logger.LogDebug("Processed {ProcessedRows} / {TotalRows}, Failed: {FailedRows}",`
	`296`	`+ records.Count + failedCount, parsedData.Rows.Count, failedCount);`
`291`	`297`	`}`
`292`	`298`
`293`	`299`	`return records;`