azaion/admin
1
0
Fork 0
mirror of https://github.com/azaion/admin.git synced 2026-06-21 08:11:08 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
c7b297de83bc5aca7ec75c5658eacfbd28ad8743
admin/_docs/05_security/owasp_review.md
T
Oleksandr Bezdieniezhnykh c7b297de83
ci/woodpecker/push/01-test Pipeline failed
Details
ci/woodpecker/push/02-build-push unknown status
Details
refactor: remove deploy.cmd and update Dockerfile for health checks 
- Deleted the deploy.cmd script as it was no longer needed.
- Updated Dockerfile to include curl for health checks and added a non-root user for improved security.
- Modified health check command to use curl for better reliability.
- Adjusted docker-compose.test.yml to reflect changes in health check configuration.
- Cleaned up appsettings.json and removed unused configuration properties.
- Removed Resource entity and related requests from the codebase as part of the architectural shift.
- Updated documentation to reflect the removal of hardware binding and related endpoints.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-13 08:47:21 +03:00

4.7 KiB
Raw Blame History

OWASP Top 10 Review (2021 edition)

Date: 2026-05-13 Framework: OWASP Top 10 — 2021 (the 2025 release is not yet finalized as of this audit; 2021 remains the current authoritative list). Scope cross-reference: every FAIL below cites a Phase 2 finding ID (F-N) for the underlying evidence.

Per-Category Assessment

# Category Status Findings
A01 Broken Access Control FAIL F-2 (path traversal via dataFolder) — F-1 closed via OTA feature revert
A02 Cryptographic Failures PASS_WITH_WARNINGS F-1 closed via revert; D-1 closed via Newtonsoft bump (13.0.4); F-7 (SHA-384 password hash, no salt/KDF) remains open as a hardening item
A03 Injection PASS linq2db parameterizes all queries; no string-concatenation SQL paths found in Azaion.Services/*Service.cs or Azaion.Common/Database/*. No Process.Start / subprocess usage in production code. No template injection paths.
A04 Insecure Design PASS_WITH_WARNINGS F-3 closed (UNIQUE INDEX users_email_uidx + RegisterUser/RegisterDevice consolidation); F-8 (no rate limiting on /login) remains as a hardening item
A05 Security Misconfiguration FAIL F-6 (container runs as root), F-13 (no HTTPS enforcement in code), F-9 (request DTOs missing validators), F-11 (placeholder credentials in 01_permissions.sql). F-5 closed automatically (EncryptionMasterKey field deleted with the OTA revert).
A06 Vulnerable & Outdated Components PASS All dotnet list package --vulnerable checks return clean. D-1 (Newtonsoft.Json) was the only manual finding; closed in this audit by bumping to 13.0.4. Three deprecated-but-not-vulnerable packages noted in dependency_scan.md.
A07 Identification & Authentication Failures PASS_WITH_WARNINGS F-3 closed (DB UNIQUE INDEX now enforces one-row-per-email). F-7 (weak password hashing) and F-8 (no rate limiting) remain open as hardening items.
A08 Software & Data Integrity Failures PASS OTA flow that introduced the unsigned-manifest concern was reverted. CI/CD: secrets are env-injected, no in-repo secrets in Dockerfile / compose files used by prod.
A09 Security Logging & Monitoring Failures PASS_WITH_WARNINGS Serilog console + rolling file sink configured. F-12 (one unstructured log line in ResourcesService). No security-event-specific logger — login successes/failures, role changes, deletes are not separately auditable.
A10 Server-Side Request Forgery (SSRF) NOT_APPLICABLE The API never makes outbound HTTP calls based on user-controlled URLs. CdnUrl from PublishResourceRequest is stored and forwarded but never fetched server-side.

Cross-Reference Against security_approach.md

The pre-cycle-1 security_approach.md "Known Security Observations" list is reconciled here:

Original observation Status post-cycle-1
1. SHA-384 without per-user salt Still open — F-7
2. hardware_hash DB column unused Resolved by AZ-197 — column-level removal pending follow-up; field is now dead but the column is still in the schema (02_structure.sql:9). Not a security risk; cleanup task.
3. No path traversal protection on dataFolder Still open — F-2
4. Hardcoded DB credentials in test files Confirmed test-only — F-10
5. No rate limiting on /login Still open — F-8
6. No audit trail for security-relevant operations Still open — A09 PASS_WITH_WARNINGS
7. No HTTPS enforcement in code Still open — F-13
8. Static encryption key salts hardcoded Partially resolvedSecurity.GetApiEncryptionKey salt is still hardcoded but the AZ-197 removal of the hwHash component reduced surface area. (ResourceColumnEncryption was deleted along with the OTA revert.)

Cycle-1 Specific Verdict

The cycle-1 changes (AZ-513, AZ-196, AZ-183, AZ-197) introduced one new High-severity finding (F-1, on /get-update) and amplified one existing High (F-3, via RegisterDevice). Both were closed before any deploy:

  • F-1 (resolved by feature revert): AZ-183 was reverted in full; the OTA delivery model itself is obsolete in the target architecture.
  • F-3 (resolved): RegisterDevice now delegates to RegisterUser; users.email has a UNIQUE INDEX (users_email_uidx); UNIQUE-violation is translated to EmailExists.

Other cycle-1 endpoints (/devices, /classes/*) have correct authorization wiring (apiAdminPolicy).

Self-verification

  • All current OWASP Top 10 categories assessed
  • Each FAIL has at least one specific finding with evidence (F-N reference)
  • NOT_APPLICABLE category has justification (A10)
Reference in New Issue View Git Blame Copy Permalink