Skip to content

fix(security): FORGE-631 harden password reset against traversal and …#12

Open
joeyliechty wants to merge 1 commit into
developfrom
feature/FORGE-631
Open

fix(security): FORGE-631 harden password reset against traversal and …#12
joeyliechty wants to merge 1 commit into
developfrom
feature/FORGE-631

Conversation

@joeyliechty

Copy link
Copy Markdown
Contributor

…token abuse

Prevent JCR path traversal by validating userId before path construction. Add per-username rate limiting to slow automated reset enumeration. Persist reset token before sending email; clear token before saving password. Remove token URL from debug logs; escape feedback panel output to prevent XSS. Fix "null null" display name bug and align demo version references to 7.0.1-SNAPSHOT.

(co-authored with Claude Code)

…token abuse

Prevent JCR path traversal by validating userId before path construction.
Add per-username rate limiting to slow automated reset enumeration.
Persist reset token before sending email; clear token before saving password.
Remove token URL from debug logs; escape feedback panel output to prevent XSS.
Fix "null null" display name bug and align demo version references to 7.0.1-SNAPSHOT.

(co-authored with Claude Code)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant