senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
veza/.gitignore
senke 9cd0da0046 fix(v0.12.6): apply all pentest remediations — 36 findings across 36 files 
CRITICAL fixes:
- Race condition (TOCTOU) in payout/refund with SELECT FOR UPDATE (CRITICAL-001/002)
- IDOR on analytics endpoint — ownership check enforced (CRITICAL-003)
- CSWSH on all WebSocket endpoints — origin whitelist (CRITICAL-004)
- Mass assignment on user self-update — strip privileged fields (CRITICAL-005)

HIGH fixes:
- Path traversal in marketplace upload — UUID filenames (HIGH-001)
- IP spoofing — use Gin trusted proxy c.ClientIP() (HIGH-002)
- Popularity metrics (followers, likes) set to json:"-" (HIGH-003)
- bcrypt cost hardened to 12 everywhere (HIGH-004)
- Refresh token lock made mandatory (HIGH-005)
- Stream token replay prevention with access_count (HIGH-006)
- Subscription trial race condition fixed (HIGH-007)
- License download expiration check (HIGH-008)
- Webhook amount validation (HIGH-009)
- pprof endpoint removed from production (HIGH-010)

MEDIUM fixes:
- WebSocket message size limit 64KB (MEDIUM-010)
- HSTS header in nginx production (MEDIUM-001)
- CORS origin restricted in nginx-rtmp (MEDIUM-002)
- Docker alpine pinned to 3.21 (MEDIUM-003/004)
- Redis authentication enforced (MEDIUM-005)
- GDPR account deletion expanded (MEDIUM-006)
- .gitignore hardened (MEDIUM-007)

LOW/INFO fixes:
- GitHub Actions SHA pinning on all workflows (LOW-001)
- .env.example security documentation (INFO-001)
- Production CORS set to HTTPS (LOW-002)

All tests pass. Go and Rust compile clean.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-14 00:44:46 +01:00

132 lines
2 KiB
Text
Raw Blame History

# ============================================================
# Veza/Talas — Global .gitignore
# Stack: Go, Rust, TypeScript/React, Docker, Scripts
# ============================================================
### Node / JS
node_modules/
dist/
build/
.next/
pnpm-lock.yaml
npm-debug.log*
yarn-debug.log*
yarn-error.log*
### Rust
target/
Cargo.lock
*.rs.bk
### Go
*.exe
*.exe~
*.dll
*.so
*.dylib
### Python (scripts/tools)
__pycache__/
*.pyc
### Logs / Dumps
*.log
logs/
*.pid
*.seed
*.gz
### Database dumps — SECURITY(REM-034): Never commit database artifacts
**/veza_back_api_db/
*.sql.dump
*.pgdump
### Editors / IDE
.vscode/
.idea/
.cursor/
*.swp
*.swo
### System trash
.DS_Store
Thumbs.db
### Temp / Cache
tmp/
temp/
.cache/
.turbo/
coverage/
coverage-final.json
typecheck*.txt
output*.txt
design_system*.html
*_design_system*.html
MODULE.bazel.lock
### Test artifacts
*.test
*.coverage
*.out
test-results/
playwright-report/
### Build / Bundles
*.wasm
*.bundle.js
*.map
apps/web/dist_verification/
**/dist_verification/
### Environment / Secrets (NE JAMAIS COMMIT)
.env
.env.*
!.env.example
!.env.staging.example
**/.env
**/.env.local
**/.env.*
!.env.example
!.env.staging.example
veza-backend-api/.env
veza-chat-server/.env
veza-stream-server/.env
apps/web/.env.local
.secrets/
### Docker
docker-data/
*.tar
# HAProxy SSL certs (never commit private keys)
docker/haproxy/certs/*.key
docker/haproxy/certs/*.pem
# JWT RSA keys (v0.9.1 RS256 migration — NEVER commit)
jwt-private.pem
jwt-public.pem
veza-backend-api/main
veza-backend-api/api
veza-backend-api/migrate_tool
chat_exports/
# Environment / Secrets — config templates only, never commit real .env
config/incus/env/*.env
!config/incus/env/env.example
# Playwright
/test-results/
/playwright-report/
apps/web/e2e-results.json
/blob-report/
/playwright/.cache/
/playwright/.auth/
apps/web/e2e/.auth/
*storybook.log
storybook-static
# v0.941: Swagger docs.go generated by CI (swag init)
veza-backend-api/docs/docs.go
Reference in a new issue View git blame Copy permalink