agentic-trust

Critical vulnerabilities identified: 1. Webhook Revalidation (src/app/api/sanity/revalidate/route.ts): The `isValidSignature` function implements a simplified signature verification that merely compares the received signature header with the `SANITY_WEBHOOK_SECRET`. This is NOT proper HMAC verification. If the `SANITY_WEBHOOK_SECRET` is compromised, an attacker can easily forge requests to trigger cache revalidation for arbitrary paths, potentially leading to denial-of-service (DDoS) on the cache or presentation of stale/incorrect content. 2. Unauthenticated Image Generation API (src/app/api/generate-blog-cover/route.tsx): This API endpoint is completely unauthenticated and unvalidated. Any unauthenticated user can send a POST request to this endpoint with a `title`, `category`, `authors`, and optionally a `postId`. This allows attackers to: - Consume server resources by repeatedly triggering image generation. - Upload arbitrary images to the Sanity project's asset storage. - If a valid `postId` is provided, an attacker could attach any generated image as the `coverImage` for an existing blog post, leading to content defacement or injection. This is a severe vulnerability for content integrity and resource abuse. Sensitive environment variables (`SANITY_API_TOKEN`, `SANITY_WEBHOOK_SECRET`) are correctly referenced via `process.env` but their secure handling and protection in deployment are paramount given the identified vulnerabilities.