Files
Claper/lib/claper/application.ex
Alexandre Lion 8f46837900 Fix critical security vulnerabilities (#211)
* Fix critical security vulnerabilities

Address 5 critical findings from security audit:
- Sanitize custom embed HTML to prevent stored XSS (strip all non-iframe content)
- Escape URLs in format_body/1 to prevent reflected XSS via post messages
- Add authorization check to form export endpoint (IDOR fix)
- Replace String.to_atom/1 on user input with explicit whitelists (8 locations)
- Add IP-based rate limiting on authentication endpoints via Hammer

* Start rate limiter before endpoint in supervision tree

* Update CHANGELOG
2026-02-09 19:18:14 +01:00

51 lines
1.6 KiB
Elixir

defmodule Claper.Application do
# See https://hexdocs.pm/elixir/Application.html
# for more information on OTP Applications
@moduledoc false
use Application
@impl true
def start(_type, _args) do
topologies = Application.get_env(:libcluster, :topologies) || []
oidc_config = Application.get_env(:claper, :oidc) || []
Oban.Telemetry.attach_default_logger()
children = [
{Cluster.Supervisor, [topologies, [name: Claper.ClusterSupervisor]]},
# Start the Ecto repository
Claper.Repo,
# Start the Telemetry supervisor
ClaperWeb.Telemetry,
# Start the PubSub system
{Phoenix.PubSub, name: Claper.PubSub},
# Start the rate limiter before the endpoint accepts requests
Claper.RateLimit,
# Start the Endpoint (http/https)
ClaperWeb.Presence,
ClaperWeb.Endpoint,
# Start a worker by calling: Claper.Worker.start_link(arg)
# {Claper.Worker, arg}
{Finch, name: Swoosh.Finch},
{Task.Supervisor, name: Claper.TaskSupervisor},
{Oidcc.ProviderConfiguration.Worker,
%{issuer: oidc_config[:issuer], name: Claper.OidcProviderConfig}},
{Oban, Application.fetch_env!(:claper, Oban)}
]
# See https://hexdocs.pm/elixir/Supervisor.html
# for other strategies and supported options
opts = [strategy: :one_for_one, name: Claper.Supervisor]
Supervisor.start_link(children, opts)
end
# Tell Phoenix to update the endpoint configuration
# whenever the application is updated.
@impl true
def config_change(changed, _new, removed) do
ClaperWeb.Endpoint.config_change(changed, removed)
:ok
end
end