Taxpoynt logoTaxpoynt
Taxpoynt Docs

Compliance

Security Validation Report (Report 2)

Source file: SECURITY_VALIDATION_REPORT_2026-02-21.md

Executive Summary

This is the post-fix validation report for the current SQL injection hardening cycle.

  • Report ID: SEC-REPORT-002
  • Status: Post-Fix Validation
  • Date: February 21, 2026
  • Repository: platform-clean
  • Branch: main
  • Commit: ed9a4d2

Validated outcome:

  1. E2E bootstrapping blocker is resolved for security test execution.
  2. Real HTTP-level SQLi probes were executed against authenticated SI/AP routes.
  3. Controlled pentest-style exploit attempts did not produce data exfiltration or auth bypass.
  4. Static/SAST checks passed in current code state.
  5. SCA is now executable (not blocked), but dependency vulnerabilities remain open.

Coverage Against Requested Workflow

  1. Static code review: Completed.
  2. SAST (automated source scanning): Completed.
  3. DAST/manual API probing in test environment: Completed.
  4. Live pentest-style exploit validation: Completed.

Scope

Assessed components:

  1. API backend under apps/api.
  2. SI/AP invoice retrieval and AP ingest endpoints at HTTP layer.
  3. Auth entrypoint behavior under SQLi-like payloads.
  4. Local dependency vulnerability posture (workspace lockfile audit).

Out of scope:

  1. External internet-facing staged/production pentest.
  2. Infrastructure/cloud controls beyond local runtime.

Methodology and Evidence

  1. Prepared local Postgres-backed test environment and confirmed DB reachability.
  2. Attempted prisma migrate deploy on fresh DB:
    • Failed at migration 20260123_add_direct_reporting_support (relation "Buyer" does not exist).
  3. Applied test-only schema synchronization path:
    • prisma db push --force-reset --accept-data-loss.
  4. Verified E2E boot path:
    • test/health.e2e-spec.ts passed (2/2).
  5. Executed DAST + pentest-style probes:
    • test/security-dast.e2e-spec.ts passed (4/4).
  6. Re-ran targeted security regressions:
    • get-invoice.security.spec.ts
    • ingest-ap-invoice.security.spec.ts
    • create-environment.security.spec.ts
    • Result: passed (10/10).
  7. SAST checks:
    • pnpm --filter @taxpoynt/api run lint passed.
    • pnpm --filter @taxpoynt/api run typecheck passed.
  8. SQL raw-query scan:
    • rg -n "\$queryRawUnsafe|\$executeRawUnsafe" apps/api/src returned no matches.
  9. SCA:
    • pnpm audit --prod executed successfully (not network-blocked).
    • Result: 23 vulnerabilities total (1 critical, 9 high, 10 moderate, 3 low).

Findings

F1: SQL Injection Exploitability Not Confirmed in Tested SI/AP HTTP Paths

  • Severity: Informational
  • Status: Closed for this validation cycle

Validated attack classes:

  1. SQLi-like auth payloads (login bypass attempts).
  2. Cross-tenant invoice retrieval attempts on SI/AP.
  3. SQLi-like invoice ID probes in SI/AP path params.
  4. SQLi-like AP ingest invoiceNumber payload attempts.

Observed behavior:

  1. Requests were rejected with 400, 401, or 404 as expected.
  2. No unauthorized invoice payload was returned.
  3. No authentication bypass was observed.
  4. No unauthorized invoice persistence occurred for SQLi-like AP ingest payload.

F2: E2E Security Boot Blocker Resolved

  • Severity: Informational
  • Status: Closed

Resolution details:

  1. E2E env now provides required JWT secrets in apps/api/test/jest-e2e.env.ts.
  2. Health E2E suite now boots and executes successfully against live Postgres.

F3: Fresh-Database Migration Chain Defect

  • Severity: Medium
  • Status: Open

Observed failure:

  1. prisma migrate deploy on fresh DB fails at migration 20260123_add_direct_reporting_support.
  2. Error: P3018 / ERROR: relation "Buyer" does not exist.

Risk:

  1. Fresh environment reproducibility is brittle.
  2. Test and deployment pipelines may require fallback schema sync paths.

F4: Dependency Vulnerabilities Remain Open (SCA)

  • Severity: High (overall)
  • Status: Open

Current audit summary:

  1. Total: 23 vulnerabilities.
  2. Severity: 1 critical, 9 high, 10 moderate, 3 low.
  3. Affected paths include workspace app (next) and API dependency chains (for example jws, qs, nodemailer, lodash, undici, js-yaml).

Overall Risk Posture (Report 2)

  • SQLi risk in tested SI/AP endpoints: Low
  • Residual platform risk: Medium

Residual drivers:

  1. Open dependency vulnerabilities from SCA.
  2. Fresh migration chain defect on clean DB bootstrap.

Recommended Next Actions

  1. Fix migration ordering/dependency issue in 20260123_add_direct_reporting_support and re-validate prisma migrate deploy on an empty DB.
  2. Triage and patch critical/high dependency vulnerabilities first, then moderate.
  3. Keep apps/api/test/security-dast.e2e-spec.ts in CI to preserve SQLi exploitability regression coverage.
  4. Re-issue a closure report after migration and dependency remediation are complete.