Skip to content

Security Audit Report - OmniButler Backend

Date: 2025-07-24
Auditor: Security Analysis Tool
Scope: Comprehensive security audit of OmniButler backend codebase
Last Updated: 2025-07-24

Executive Summary

This security audit identified several critical and high-severity vulnerabilities in the OmniButler backend that require immediate attention. The most severe issues include disabled authentication (FIXED), overly permissive CORS configuration, hardcoded secrets, and exposed sensitive endpoints.

Critical Vulnerabilities

1. CRITICAL: Authentication Bypass in Internal Endpoints ✅ FIXED

Location: /src/infrastructure/auth/internal_auth.py:33
Severity: Critical
Status: FIXED (2025-07-24)
Description: The verify_internal_request function had a hardcoded return True statement that bypassed all authentication checks.

Fix Applied: Implemented Google Cloud OIDC token verification for production/staging environments while maintaining local development bypass. See /src/docs/INTERNAL_ENDPOINT_SECURITY.md for implementation details.

# Fixed implementation now properly verifies OIDC tokens
if app_config.is_local_env:
    logger.debug("Local environment - skipping internal auth")
    return True

# Verify Google Cloud OIDC token
id_info: dict[str, Any] = jwt.decode(token, request_obj)

Impact: Any user can access internal endpoints without authentication. Now properly secured.
Recommendation: Remove the hardcoded return statement and implement proper authentication logic. COMPLETED

2. CRITICAL: Overly Permissive CORS Configuration

Location: /src/application/app.py:127-130
Severity: Critical
Description: CORS is configured to allow all origins, credentials, methods, and headers.

application.add_middleware(
    CORSMiddleware,
    allow_origins=["*"],
    allow_credentials=True,
    allow_methods=["*"],
    allow_headers=["*"],
)

Impact: Enables cross-site request forgery (CSRF) attacks and credential theft.
Recommendation: Restrict origins to specific domains, limit methods and headers to required ones.

3. CRITICAL: Hardcoded Sentry DSN

Location: /src/application/config.py:84
Severity: Critical
Description: Sentry DSN is hardcoded in the configuration file.

sentry_dsn: str = "https://9465b3e42262bca4df9a60b9d474d198@o4508375598825472.ingest.de.sentry.io/4508375712530512"

Impact: Exposes internal monitoring infrastructure, allows unauthorized error submissions.
Recommendation: Move to environment variables or secure configuration management.

High Severity Vulnerabilities

4. HIGH: Missing Authentication on Public API Endpoints

Severity: High
Description: Many API endpoints in /api/v1/ lack authentication checks. They receive request: Request but don't verify tokens.

Examples: - /api/v1/balance-verification/{account_id} - /api/v1/bank/{bank_id}/balances - /api/v1/transactions/summary/{period} - /api/v1/debug endpoints

Impact: Unauthorized access to sensitive financial data and system information.
Recommendation: Implement authentication middleware for all sensitive endpoints.

5. HIGH: Exposed Debug Endpoints in Production

Location: /src/application/api/v1/debug.py
Severity: High
Description: Debug endpoints are exposed without proper access control: - /api/v1/debug - Exposes environment info and sync data - /api/v1/debug/redis-diagnostic - Exposes Redis diagnostics - /api/v1/whatsapp/debug/* - WhatsApp debug endpoints

Impact: Information disclosure about system internals, infrastructure details.
Recommendation: Disable debug endpoints in production or implement strict access controls.

6. HIGH: Sensitive Data in Logs

Severity: High
Description: Multiple instances of logging sensitive information:

  • /src/domain/services/create_database_for_app_user.py:36 - Logs partial tokens
  • /src/infrastructure/auth/internal_auth.py:68 - Logs token audience mismatches
  • /src/application/use_cases/whatsapp/link_account.py:76 - Logs WhatsApp numbers

Impact: Sensitive data exposure in log aggregation systems.
Recommendation: Implement log sanitization, never log tokens or PII.

7. HIGH: Weak Encryption Key

Location: /src/application/config.py:51
Severity: High
Description: Default encryption key is hardcoded:

encryption_key: str = "your-default-encryption-key"

Impact: Compromised data encryption if default key is used.
Recommendation: Require strong encryption keys from environment variables.

Medium Severity Vulnerabilities

8. MEDIUM: Missing Rate Limiting

Severity: Medium
Description: No rate limiting implementation found across the API endpoints.

Impact: Susceptible to brute force attacks, DoS attacks, and resource exhaustion.
Recommendation: Implement rate limiting using slowapi or similar middleware.

9. MEDIUM: SQL Injection Risk in String Formatting

Severity: Medium
Description: Multiple instances of string formatting in database operations and logging that could be vulnerable if user input is included:

  • Various f-string usages with database operations
  • URL construction with user inputs

Impact: Potential SQL injection if user input reaches these operations.
Recommendation: Use parameterized queries exclusively, validate all inputs.

10. MEDIUM: Exposed Internal Service URLs

Location: /src/application/config.py:23
Severity: Medium
Description: Example ngrok URL exposed in comments:

APP_ENDPOINT=https://171c-197-133-255-212.ngrok-free.app

Impact: Information disclosure about development practices.
Recommendation: Remove all example URLs and internal references.

11. MEDIUM: No API Versioning Strategy

Severity: Medium
Description: While API uses /v1/ prefix, there's no clear versioning or deprecation strategy.

Impact: Breaking changes could affect clients, no backward compatibility guarantee.
Recommendation: Implement proper API versioning with deprecation policies.

Low Severity Vulnerabilities

12. LOW: FastAPI Debug Mode Enabled

Location: /src/application/app.py:122
Severity: Low
Description: FastAPI is initialized with debug=True.

application = FastAPI(title="Omnibutler", debug=True, lifespan=lifespan)

Impact: Verbose error messages in production.
Recommendation: Disable debug mode in production environments.

13. LOW: Missing Security Headers

Severity: Low
Description: No security headers middleware found (X-Frame-Options, CSP, etc.).

Impact: Vulnerable to clickjacking, XSS attacks.
Recommendation: Implement security headers middleware.

Recommendations Summary

Immediate Actions (Critical)

  1. Fix authentication bypass in internal endpoints
  2. Implement proper CORS configuration
  3. Move all secrets to environment variables
  4. Add authentication to all sensitive endpoints

Short-term Actions (High)

  1. Disable or secure debug endpoints
  2. Implement log sanitization
  3. Replace default encryption keys
  4. Add rate limiting

Medium-term Actions

  1. Implement comprehensive input validation
  2. Add security headers
  3. Develop API versioning strategy
  4. Regular dependency updates

Security Best Practices

  1. Implement least privilege access control
  2. Regular security audits
  3. Dependency vulnerability scanning
  4. Security training for development team
  5. Implement SAST/DAST in CI/CD pipeline

Dependency Analysis

The application uses several dependencies that require monitoring: - cryptography==44.0.1 - Keep updated for security patches - fastapi==0.115.14 - Current version, monitor for updates - urllib3, requests - Common targets for vulnerabilities

Recommendation: Implement automated dependency scanning with tools like Dependabot or Snyk.

Conclusion

The OmniButler backend has several critical security vulnerabilities that need immediate attention. The most pressing issues are the authentication bypass and overly permissive CORS configuration. These vulnerabilities could lead to unauthorized access to sensitive financial data and system compromise.

Priority should be given to fixing the critical and high-severity issues before the application is deployed to production or handles real user data.