Taxpoynt logoTaxpoynt
Taxpoynt Docs

Compliance

Security Baseline Report (Report 1)

Source file: SECURITY_BASELINE_REPORT_2026-02-21.md

Executive Summary

This is the first security report for the current hardening cycle.

  • Report ID: SEC-REPORT-001
  • Status: Baseline (Pre-Fix)
  • Date: February 21, 2026
  • Repository: platform-clean
  • Branch: main
  • Commit: ed9a4d2

Outcome at baseline:

  1. No confirmed SQL injection vulnerability in invoice retrieval paths.
  2. Security controls are present (ORM usage, tenant scoping, input validation).
  3. Some assurance gaps remain (unsafe raw-SQL API usage in helper services, e2e boot failure, dependency audit blocked by network).

Scope

Assessed components:

  1. API backend under apps/api.
  2. Invoice retrieval and ingestion flows in SI/AP modules.
  3. Raw SQL usage patterns across backend services.
  4. Local static and dynamic security checks available in this environment.

Out of scope for this baseline:

  1. External penetration against deployed staging/production.
  2. Third-party infrastructure and cloud controls.
  3. Full SCA over internet (blocked by DNS/network constraints in this environment).

Methodology

Security workflow executed:

  1. Static code review for SQL injection patterns and trust boundaries.
  2. SAST-oriented checks:
    • pnpm run lint (apps/api)
    • pnpm run typecheck (apps/api)
  3. Dynamic checks:
    • Attempted full e2e run via pnpm run test:e2e --runInBand
    • Added and executed targeted security tests for SQLi-like payloads.
  4. SCA attempt:
    • pnpm audit --prod (failed due environment network resolution issue).

Findings

F1: SQLi in Invoice Retrieval Paths Not Confirmed

  • Severity: Informational
  • Status: No exploit confirmed

Key evidence:

  1. Invoice retrieval uses Prisma ORM queries, not string-concatenated SQL:
    • apps/api/src/modules/si/infrastructure/persistence/prisma-invoice.repository.ts:47
    • apps/api/src/modules/si/infrastructure/persistence/prisma-invoice.repository.ts:103
  2. Tenant guard prevents cross-organization invoice access:
    • apps/api/src/modules/si/application/use-cases/get-invoice.use-case.ts:11
    • apps/api/src/modules/ap/infrastructure/http/ap.controller.ts:1025
  3. Global input validation is enabled:
    • apps/api/src/main.ts:11

Conclusion:

No evidence of the classic vulnerable pattern ... WHERE invoice_id = ' + input + ... in assessed invoice retrieval code paths.

F2: Unsafe Raw-SQL APIs Present in Helper Services

  • Severity: Medium
  • Status: Open (hardening recommended)

Observed usage:

  1. apps/api/src/modules/firs-config/services/firs-credentials.service.ts:65
  2. apps/api/src/modules/si/services/connector-flag.service.ts:43
  3. apps/api/src/modules/si/services/mono-account-registry.service.ts:33
  4. apps/api/src/modules/si/services/mono-webhook-status-store.service.ts:22

Assessment:

  1. Current queries appear static with positional parameters ($1, $2, etc.).
  2. No template interpolation into SQL strings was found during this baseline.
  3. Risk remains elevated because *RawUnsafe APIs are easier to misuse in future changes.

F3: Full E2E Security Coverage Blocked by Bootstrapping Failure

  • Severity: Medium (assurance gap)
  • Status: Open

Attempted command:

  1. pnpm run test:e2e --runInBand

Result:

  1. Nest injector recursion crash:
    • RangeError: Maximum call stack size exceeded
  2. This blocked full HTTP-level dynamic security verification through the normal e2e harness.

F4: Dependency Audit Blocked by Network/DNS Constraints

  • Severity: Low (assurance gap)
  • Status: Open

Attempted command:

  1. pnpm audit --prod

Result:

  1. Failed with EAI_AGAIN registry.npmjs.org.
  2. Dependency vulnerability enumeration is incomplete in this baseline.

Security Tests Added in This Baseline

  1. apps/api/src/modules/si/application/use-cases/__tests__/get-invoice.security.spec.ts
    • Verifies SQLi-like invoice ID does not bypass org boundary.
  2. apps/api/src/modules/ap/application/use-cases/__tests__/ingest-ap-invoice.security.spec.ts
    • Verifies SQLi-like invoice number is rejected before persistence.

Execution result:

  1. Both tests passed.

Existing Security Regression Check Re-Run

Re-ran:

  1. src/modules/environments/application/use-cases/__tests__/create-environment.security.spec.ts

Result:

  1. Passed (7/7).

Overall Risk (Baseline)

  • Current SQLi risk in assessed invoice retrieval paths: Low
  • Residual engineering risk: Medium

Residual risk drivers:

  1. Use of unsafe raw query APIs in non-invoice helper services.
  2. Blocked full e2e dynamic validation in current test harness state.
  3. Incomplete SCA due network constraint.

Remediation Plan Before Final Report

  1. Replace .$queryRawUnsafe / .$executeRawUnsafe with safe equivalents where feasible.
  2. Fix Nest DI recursion to restore full e2e execution.
  3. Re-run e2e security probes after fix.
  4. Run pnpm audit --prod in network-enabled environment.
  5. Optionally run controlled staged DAST/pentest with approved credentials and scope.

Exit Criteria for Final Report (Report 2)

Final report can be issued when all of the following are true:

  1. Raw unsafe SQL usage reduced or justified with documented safeguards.
  2. E2E harness executes successfully and security probes are re-run.
  3. Dependency audit results are collected and triaged.
  4. All added security regression tests remain passing.