With all the discussion around security and AI, I have been going through the Emoncms codebase more systematically using a mixture of Copilot, Claude, and Gemini to check for security issues. It’s been a productive process, uncovering quite a few issues that needed addressing. I cant claim to be doing anything particular novel in the way I’m approaching this process but it’s been interesting to read about how others such as Firefox are using these tools to harden their software Behind the Scenes Hardening Firefox with Claude Mythos Preview - Mozilla Hacks - the Web developer blog.
The most concerning and important fix was a secondary SQL injection vulnerability in dashboard module (only applicable to multi-user Emoncms installations, where anyone can create an account and craft a specific dashboard content string). This is now fixed in Release 2.4.4 · emoncms/dashboard · GitHub of the dashboard module.
A wider range of defense in depth changes were added to Emoncms core, the latest version being v11.12.3:
- Please see emoncms v11.11.0 release notes for first large set of changes: Release 11.11.0 · emoncms/emoncms · GitHub.
- v11.12.1 is mostly admin module refactoring (non security related) but also includes important security hardening of Forwarded headers see: fix: only trust X-Forwarded-* headers from local/LAN proxies by TrystanLea · Pull Request #1987 · emoncms/emoncms · GitHub, thanks @alexandrecuer for the test!
- v11.12.2 and 11.12.3 are fixes for bugs introduced in the previous releases.
Please also update:
- Graph module: Release 2.2.8 · emoncms/graph · GitHub
- Device module https://github.com/emoncms/device/releases/tag/2.3.10
- App module: Release 3.1.7 · emoncms/app · GitHub
- Sync module: Release 3.2.5 · emoncms/sync · GitHub
- Account module (if in use) Commits · emoncms/account · GitHub
- Post process module Release 2.5.3 · emoncms/postprocess · GitHub
@alexandrecuer has updated the emoncms docker to use the latest versions: alexjunk/emoncms - Docker Image