azaion/detections
1
0
Fork 0
mirror of https://github.com/azaion/detections.git synced 2026-04-22 06:46:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

[AZ-178] Fix Critical/High security findings: auth, CVEs, non-root containers, per-job SSE

Browse Source 
- Pin all deps; h11==0.16.0 (CVE-2025-43859), python-multipart>=1.3.1 (CVE-2026-28356), PyJWT==2.12.1
- Add HMAC JWT verification (require_auth FastAPI dependency, JWT_SECRET-gated)
- Fix TokenManager._refresh() to use ADMIN_API_URL instead of ANNOTATIONS_URL
- Rename POST /detect → POST /detect/image (image-only, rejects video files)
- Replace global SSE stream with per-job SSE: GET /detect/{media_id} with event replay buffer
- Apply require_auth to all 4 protected endpoints
- Fix on_annotation/on_status closure to use mutable current_id for correct post-upload event routing
- Add non-root appuser to Dockerfile and Dockerfile.gpu
- Add JWT_SECRET to e2e/docker-compose.test.yml and run-tests.sh
- Update all e2e tests and unit tests for new endpoints and HMAC token signing
- 64/64 tests pass

Made-with: Cursor
This commit is contained in:
Oleksandr Bezdieniezhnykh
2026-04-02 06:32:12 +03:00
parent dac350cbc5
commit 097811a67b
25 changed files with 369 additions and 429 deletions
Download Patch File Download Diff File Expand all files Collapse all files
_docs/05_security/security_report.md
+23 -23
View File
@@ -2,16 +2,16 @@
**Date**: 2026-03-31
**Scope**: Azaion.Detections (full codebase)
**Verdict**: FAIL
**Verdict**: FAIL**REMEDIATED** (Critical/High resolved 2026-04-01)
## Summary
| Severity | Count |
|----------|-------|
| Critical | 1 |
| High | 3 |
| Medium | 5 |
| Low | 5 |
| Severity | Count | Resolved |
|----------|-------|---------|
| Critical | 1 | 1 ✓ |
| High | 3 | 3 ✓ |
| Medium | 5 | 2 ✓ |
| Low | 5 | — |
## OWASP Top 10 Assessment
@@ -30,22 +30,22 @@
## Findings
| # | Severity | Category | Location | Title |
|---|----------|----------|----------|-------|
| 1 | Critical | A03 Supply Chain | requirements.txt (uvicorn→h11) | HTTP request smuggling via h11 CVE-2025-43859 |
| 2 | High | A04 Crypto | src/main.py:67-99 | JWT decoded without signature verification |
| 3 | High | A01 Access Control | src/main.py (all routes) | No authentication required on any endpoint |
| 4 | High | A03 Supply Chain | requirements.txt (python-multipart) | ReDoS via python-multipart CVE-2026-28356 |
| 5 | Medium | A01 Access Control | src/main.py:608-627 | SSE stream broadcasts cross-user data |
| 6 | Medium | A06 Insecure Design | src/main.py:348-469 | No rate limiting on inference endpoints |
| 7 | Medium | A02 Misconfig | Dockerfile, Dockerfile.gpu | Containers run as root |
| 8 | Medium | A03 Supply Chain | requirements.txt | Unpinned critical dependencies |
| 9 | Medium | A02 Misconfig | Dockerfile, Dockerfile.gpu | No TLS and no security headers |
| 10 | Low | A06 Insecure Design | src/main.py:357 | No request body size limit |
| 11 | Low | A10 Exceptions | src/main.py:63,490 | Silent exception swallowing |
| 12 | Low | A09 Logging | src/main.py | Security events not logged |
| 13 | Low | A01 Access Control | src/main.py:449-450 | Exception details leaked in responses |
| 14 | Low | A07 Auth | src/main.py:54-64 | Token refresh failure silently ignored |
| # | Severity | Category | Location | Title | Status |
|---|----------|----------|----------|-------|--------|
| 1 | Critical | A03 Supply Chain | requirements.txt (uvicorn→h11) | HTTP request smuggling via h11 CVE-2025-43859 | **FIXED** — pinned h11==0.16.0 |
| 2 | High | A04 Crypto | src/main.py | JWT decoded without signature verification | **FIXED** — PyJWT HMAC verification |
| 3 | High | A01 Access Control | src/main.py (all routes) | No authentication required on any endpoint | **FIXED** — require_auth dependency on all protected endpoints |
| 4 | High | A03 Supply Chain | requirements.txt (python-multipart) | ReDoS via python-multipart CVE-2026-28356 | **FIXED** — pinned python-multipart>=1.3.1 |
| 5 | Medium | A01 Access Control | src/main.py | SSE stream broadcasts cross-user data | **FIXED** — per-job SSE (GET /detect/{media_id}), each client sees only their job |
| 6 | Medium | A06 Insecure Design | src/main.py | No rate limiting on inference endpoints | Open — out of scope for this cycle |
| 7 | Medium | A02 Misconfig | Dockerfile, Dockerfile.gpu | Containers run as root | **FIXED** — non-root appuser added |
| 8 | Medium | A03 Supply Chain | requirements.txt | Unpinned critical dependencies | **FIXED** — all deps pinned |
| 9 | Medium | A02 Misconfig | Dockerfile, Dockerfile.gpu | No TLS and no security headers | Open — handled at infra/proxy level |
| 10 | Low | A06 Insecure Design | src/main.py | No request body size limit | Open |
| 11 | Low | A10 Exceptions | src/main.py | Silent exception swallowing | Open |
| 12 | Low | A09 Logging | src/main.py | Security events not logged | Open |
| 13 | Low | A01 Access Control | src/main.py | Exception details leaked in responses | Open |
| 14 | Low | A07 Auth | src/main.py | Token refresh failure silently ignored | Open (by design for offline mode) |
### Finding Details
_docs/_autopilot_state.md
+1 -2
View File
@@ -1,5 +1,4 @@
# Autopilot State
## Current Step
flow: existing-code
step: 14
@@ -14,5 +13,5 @@ step: 8 (New Task) — DONE (AZ-178 defined)
step: 9 (Implement) — DONE (implementation_report_streaming_video.md, 67/67 tests pass)
step: 10 (Run Tests) — DONE (67 passed, 0 failed)
step: 11 (Update Docs) — DONE (docs updated during step 9 implementation)
step: 12 (Security Audit) — SKIPPED (previous cycle audit complete; no new auth surface)
step: 12 (Security Audit) — DONE (Critical/High findings remediated 2026-04-01; 64/64 tests pass)
step: 13 (Performance Test) — SKIPPED (500ms latency validated by real-video integration test)