Address security vulnerabilities and bugs

[amanmogal]

Implement comprehensive security fixes to address identified vulnerabilities and enhance application robustness.

This PR addresses critical security issues and introduces several enhancements based on a recent security audit. Key improvements include:

• Environment Variable Validation: Ensures critical configurations are present and secure.
• Secure CORS & Rate Limiting: Prevents cross-origin attacks and DoS.
• Input Validation & File Upload Security: Protects against injection, XSS, and malicious file uploads.
• Enhanced Authentication & Error Handling: Improves JWT security and prevents information disclosure.
• Dependency Updates: Resolves known vulnerabilities from npm audit.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
npm/compression	1.8.1	🟢 8	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo Dependency-Update-Tool 🟢 10 update tool detected Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 9 8 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 9 Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Pinned-Dependencies 🟢 5 dependency not pinned by hash detected -- score normalized to 5 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 9 SAST tool detected but not run on all commits License 🟢 10 license file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 10 security policy file detected CI-Tests 🟢 10 29 out of 29 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 19 contributing companies or organizations
npm/morgan	1.10.1	🟢 7.4	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches CI-Tests 🟢 4 6 out of 14 merged PRs checked by a CI test -- score normalized to 4 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 4 found 15 unreviewed changesets out of 29 -- score normalized to 4 Contributors 🟢 10 6 different organizations found -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Maintained 🟢 6 6 commit(s) out of 30 and 2 issue activity out of 30 found in the last 90 days -- score normalized to 6 Packaging ⚠️ -1 no published package detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 SAST 🟢 7 SAST tool detected but not run on all commits Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Vulnerabilities 🟢 10 no vulnerabilities detected
npm/multer	2.0.2	🟢 7.1	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches CI-Tests 🟢 6 12 out of 18 merged PRs checked by a CI test -- score normalized to 6 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 6 Found 17/27 approved changesets -- score normalized to 6 Contributors 🟢 10 project has 54 contributing companies or organizations Dangerous-Workflow ⚠️ -1 internal error: internal error: invalid GitHub workflow: :18:0: could not parse as YAML: yaml: line 18: did not find expected ',' or ']' [syntax-check] Dependency-Update-Tool 🟢 10 update tool detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Maintained 🟢 10 23 commit(s) and 18 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 internal error: internal error: invalid GitHub workflow: :18:0: could not parse as YAML: yaml: line 18: did not find expected ',' or ']' [syntax-check] Pinned-Dependencies ⚠️ -1 internal error: internal error: invalid GitHub workflow: :18:0: could not parse as YAML: yaml: line 18: did not find expected ',' or ']' [syntax-check] SAST ⚠️ -1 internal error: internal error: invalid GitHub workflow: :18:0: could not parse as YAML: yaml: line 18: did not find expected ',' or ']' [syntax-check] Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions ⚠️ -1 internal error: internal error: invalid GitHub workflow: :18:0: could not parse as YAML: yaml: line 18: did not find expected ',' or ']' [syntax-check] Vulnerabilities 🟢 10 0 existing vulnerabilities detected
npm/on-headers	1.1.0	🟢 6.6	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 10 11 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Code-Review ⚠️ 2 Found 8/30 approved changesets -- score normalized to 2 Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Security-Policy 🟢 9 security policy file detected SAST 🟢 8 SAST tool detected but not run on all commits
npm/validator	13.15.15	🟢 6.9	Details Check Score Reason Code-Review 🟢 9 Found 28/30 approved changesets -- score normalized to 9 Maintained 🟢 8 6 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 8 Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases ⚠️ -1 no releases found SAST 🟢 9 SAST tool detected but not run on all commits
npm/validator	^13.15.15	🟢 6.9	Details Check Score Reason Code-Review 🟢 9 Found 28/30 approved changesets -- score normalized to 9 Maintained 🟢 8 6 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 8 Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases ⚠️ -1 no releases found SAST 🟢 9 SAST tool detected but not run on all commits

Scanned Files

• package-lock.json
• package.json

[cursor]

Bug: Route Registration Glitches Impact API Functionality

Duplicate route registrations for /api/alerts, /api/disasters, and /api/emergency endpoints. The routes for /api/alerts and /api/disasters are registered twice; the initial registration is matched first, preventing the emergencyLimiter from being applied. Furthermore, the emergency endpoint has a path mismatch, being registered as /api/emergency in one instance and /api/emergencies in another, leading to inconsistent routing and misapplied rate limiting.

server.js#L256-L275

SafeEscape-backend/server.js

Lines 256 to 275 in 705fbbd

	app.use('/api/ai', aiRoutes);
	app.use('/api/alerts', alertRoutes);
	app.use('/api/disasters', disasterRoutes);
	app.use('/api/emergency', emergencyRoutes);
	app.use('/api/evacuation', evacuationRoutes);
	app.use('/api/gemini', geminiRoutes);
	app.use('/api/maps', mapRoutes);
	app.use('/api/predictions', predictionRoutes);
	app.use('/api/notifications', pushNotificationRoutes);
	app.use('/api/routes', routeRoutes);
	app.use('/api/safe-zones', safeZoneRoutes);
	app.use('/api/users', userRoutes);
	app.use('/api/voice', voiceLimiter, voiceRoutes);
	app.use('/api/diagnostic', diagnosticRoutes);
	// Emergency endpoints with less restrictive rate limiting
	app.use('/api/alerts', emergencyLimiter, alertRoutes);
	app.use('/api/disasters', emergencyLimiter, disasterRoutes);
	app.use('/api/emergencies', emergencyLimiter, emergencyRoutes);

Fix in Cursor • Fix in Web

---

Bug: Firebase UID Validation Fails

The validateUserId function's validation logic is too restrictive for Firebase UIDs. The condition !validator.isUUID(userId) && !validator.isAlphanumeric(userId) incorrectly rejects valid Firebase UIDs that can contain characters like dashes and underscores.

middleware/security/inputValidator.js#L64-L67

SafeEscape-backend/middleware/security/inputValidator.js

Lines 64 to 67 in 705fbbd

	// Check if it's a valid UUID or Firebase UID format
	if (!validator.isUUID(userId) && !validator.isAlphanumeric(userId)) {
	throw new Error('Invalid user ID format');
	}

Fix in Cursor • Fix in Web

---

BugBot free trial expires on July 22, 2025
Learn more in the Cursor dashboard.

Was this report helpful? Give feedback by reacting with 👍 or 👎