{ "task_id": "task-2108", "auditor": "loki", "audit_type": "red-team-security-audit", "timestamp": "2026-04-22T16:45:00Z", "result": "PASS", "findings": [ { "category": "External URL Security", "severity": "INFO", "status": "PASS", "description": "External link to insuwiki.vercel.app uses proper security attributes", "details": [ "InsuWikiIntro.tsx line 95: href=\"https://insuwiki.vercel.app\" includes target=\"_blank\" rel=\"noopener noreferrer\"", "MediScan.tsx lines 134-135: External contact links use target=\"_blank\" rel=\"noopener noreferrer\"", "Prevents window.opener access and referrer leakage" ], "risk": "None" }, { "category": "Frontend Access Control", "severity": "MEDIUM", "status": "CONFIRMED - LIMITATION", "description": "Access control for hidden plan features is frontend-only", "details": [ "InsuWikiIntro.tsx and MediScan.tsx use useUserPlan() hook to determine visibility", "Components conditionally render based on isHidden flag (lines 82-101 in InsuWikiIntro, 65-78 in MediScan)", "Routes defined in config/routes.ts (lines 259-271) lack explicit premiumOnly/hiddenOnly markers", "No premiumOnly flag set for /tools/insuwiki and /tools/mediscan routes" ], "risk": "Frontend logic can be bypassed by DOM manipulation or network interception. However, this is a documented design choice: page loads for authenticated users and conditionally shows content.", "recommendation": "This is acceptable IF backend API routes (if any) validate plan tier before serving restricted data. Current implementation shows no additional API calls in these pages, so no backend exposure." }, { "category": "Plan Feature Mapping", "severity": "LOW", "status": "PASS", "description": "Plan feature mappings correctly configured for hidden plan only features", "details": [ "planFeatureMap.ts lines 23-24 correctly define insuwiki and mediscan with minPlan: \"히든\"", "FeatureGate component properly validates using hasMinPlan() function", "PLAN_ORDER hierarchy correctly places Hidden (5) above Max (4), Pro (3), Basic (2), Free (1)", "Normalization function in use-user-plan.ts handles both Korean and English plan names" ], "risk": "None identified" }, { "category": "Authentication & Session Validation", "severity": "HIGH", "status": "PASS", "description": "All routes protected by AuthGuard authentication middleware", "details": [ "App.tsx wraps all routes in component", "AuthGuard.tsx (lines 9-11) defines PUBLIC_PATHS excluding /tools/insuwiki and /tools/mediscan", "Both new routes require authenticated session via supabase.auth.getSession()", "Non-public routes redirect to /login when unauthenticated (line 55 of AuthGuard)" ], "risk": "None - strong session validation in place" }, { "category": "User Plan Detection", "severity": "HIGH", "status": "PASS", "description": "Plan tier correctly fetched from Supabase with proper query ordering", "details": [ "use-user-plan.ts properly checks organization subscription first (line 63-75)", "Falls back to individual user subscription if no org subscription (line 79-92)", "Falls back to free plan if no active subscription (line 95-107)", "Session validation via supabase.auth.getSession() before any DB queries", "No hardcoded plan values - all sourced from authenticated Supabase queries" ], "risk": "None - comprehensive plan validation" }, { "category": "XSS & Injection Prevention", "severity": "INFO", "status": "PASS", "description": "No XSS or injection vulnerabilities identified in new code", "details": [ "No user input processing in InsuWikiIntro.tsx or MediScan.tsx", "All content is static JSX with no eval() or innerHTML usage", "External links hardcoded: href=\"https://insuwiki.vercel.app\"", "No interpolation of user data into HTML attributes", "React handles HTML escaping automatically for all JSX content" ], "risk": "None" }, { "category": "PII & Secrets Exposure", "severity": "HIGH", "status": "PASS", "description": "No sensitive data hardcoded or exposed in new files", "details": [ "No API keys, tokens, or environment secrets in InsuWikiIntro.tsx, MediScan.tsx, or planFeatureMap.ts", "No email addresses, phone numbers, or personal data hardcoded", "CTA config uses placeholder email 'insuro@example.com' (cta-config.ts line 20)", "External link is public service (insuwiki.vercel.app), not internal API" ], "risk": "None" }, { "category": "Route Configuration", "severity": "MEDIUM", "status": "POTENTIAL ISSUE", "description": "New routes added to config/routes.ts lack explicit access control flags", "details": [ "routes.ts lines 259-263: /tools/insuwiki route defined with no premiumOnly or adminOnly flag", "routes.ts lines 265-270: /tools/mediscan route defined with no premiumOnly or adminOnly flag", "navigationConfig.ts correctly adds menu items with visible status based on component logic", "Routes rely on component-level checking via useUserPlan() rather than route-level guards" ], "risk": "Low - Components properly implement access control. Route-level flags would be defensive but are not enforced by current architecture.", "recommendation": "Consider adding hiddenOnly: true or hidden: true flags to route configs for consistency and defensive coding." }, { "category": "Content Visibility Branching", "severity": "INFO", "status": "PASS", "description": "Conditional rendering logic correctly implements hidden plan gating", "details": [ "InsuWikiIntro.tsx (line 82): {isHidden ? (...external link...) : (...full content...)}", "MediScan.tsx (line 65): {isHidden ? (...coming soon...) : (...features + CTA...)}", "Different UX for hidden vs non-hidden: Wiki redirects to external service, MediScan shows placeholder", "Both implement graceful degradation with appropriate messaging" ], "risk": "None - clean conditional rendering" }, { "category": "Navigation Menu Consistency", "severity": "LOW", "status": "PASS", "description": "Menu items properly added with consistent naming and icons", "details": [ "navigationConfig.ts line 64: 인슈위키 with BookOpen icon", "navigationConfig.ts line 65: 메디스캔 with Sparkles icon", "Both added to analytics-tools section (line 58)", "No premiumOnly flag on menu items (design choice: show menu but gate behind plan)" ], "risk": "None - UX pattern is consistent with other features" }, { "category": "Help Guide Updates", "severity": "LOW", "status": "PASS", "description": "Help guide correctly includes new menu items in auto-sort list", "details": [ "HelpGuide.tsx line 28: /tools/insuwiki and /tools/mediscan added to SIDEBAR_MENU_URLS", "Maintains proper menu ordering without breaking existing layout", "Database-driven guide content remains unaffected" ], "risk": "None" } ], "summary": "SECURITY AUDIT PASSED with one minor observation", "notes": "Task-2108 implements hidden plan feature access for InsuWiki and MediScan with proper authentication, authorization, and no PII/XSS risks. Authentication is enforced at the AuthGuard layer, plan validation occurs via Supabase queries, and components implement conditional content visibility based on plan tier. External link to insuwiki.vercel.app uses proper security attributes (target=_blank, rel=noopener noreferrer). No backend API exposure identified. Minor recommendation: Consider adding route-level hiddenOnly flags to config/routes.ts for defensive consistency, though current component-level implementation is adequate.", "audit_date": "2026-04-22", "reviewed_files": [ "/home/jay/projects/InsuRo/.worktrees/task-2108-dev6/src/components/navigation/navigationConfig.ts", "/home/jay/projects/InsuRo/.worktrees/task-2108-dev6/src/config/routes.ts", "/home/jay/projects/InsuRo/.worktrees/task-2108-dev6/src/config/planFeatureMap.ts", "/home/jay/projects/InsuRo/.worktrees/task-2108-dev6/src/pages/InsuWikiIntro.tsx", "/home/jay/projects/InsuRo/.worktrees/task-2108-dev6/src/pages/MediScan.tsx", "/home/jay/projects/InsuRo/.worktrees/task-2108-dev6/src/pages/HelpGuide.tsx", "/home/jay/projects/InsuRo/.worktrees/task-2108-dev6/src/hooks/use-user-plan.ts", "/home/jay/projects/InsuRo/.worktrees/task-2108-dev6/src/components/AuthGuard.tsx", "/home/jay/projects/InsuRo/.worktrees/task-2108-dev6/src/components/FeatureGate.tsx", "/home/jay/projects/InsuRo/.worktrees/task-2108-dev6/src/App.tsx" ] }