azaion/satellite-provider
1
0
Fork 0
mirror of https://github.com/azaion/satellite-provider.git synced 2026-06-22 09:41:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

[AZ-491] [AZ-492] [AZ-493] [AZ-494] [AZ-496] Cycle 3 Step 14: security audit refresh
ci/woodpecker/push/01-test Pipeline was successful
Details
ci/woodpecker/push/02-build-push Pipeline was successful
Details

Browse Source 
All 5 phases refreshed against cycle-3 delta:

Phase 1 (Dependency Scan):
  - D1 RESOLVED (AZ-496): Microsoft.AspNetCore.OpenApi 8.0.21 → 8.0.25
  - D3 RESOLVED (AZ-496): JwtBearer 8.0.21 → 8.0.25
  - D4 NEW (Low, test-only): System.IdentityModel.Tokens.Jwt 7.0.3 +
    Microsoft.IdentityModel.Tokens 7.0.3 pinned in TestSupport carry
    CVE-2024-21319 (JWE DoS). Bump to ≥ 7.1.2 tracked as future PBI.

Phase 2 (Static Analysis):
  - F-AUTH-3 (Info): test runner Program.cs logs iss/aud at startup;
    production API does NOT (verified by grep).
  - F-AUTH-4 (Info): DEV-ONLY iss/aud placeholders in
    appsettings.Development.json + .env.example — by design per
    Option B for AZ-494.
  - F-DBR-1: TRUNCATE string interpolation in
    IntegrationTestDatabaseReset.cs — false positive (hard-coded
    table list).
  - F-DBR-2 (Low): TRUNCATE guard is operator-bypassable. Two-guard
    model is conservative-by-default and unit-tested.
  - F-PERF-1 (Low): perf-bootstrap --mint-only writes a 4-hour
    GPS-permission token to stdout. Operator-trusted machine assumed.

Phase 3 (OWASP Top 10):
  - A03 carries D1/D3 RESOLVED + D4 NEW.
  - A07 flips F-AUTH-2 to RESOLVED (AZ-494); residual revocation-list
    Low recorded.
  - A05 status unchanged (F-DBR-1 false positive).
  - A08 picks up F-DBR-2.

Phase 4 (Infrastructure):
  - JWT_ISSUER / JWT_AUDIENCE flow .env → compose → Kestrel config,
    same pattern as JWT_SECRET.
  - INTEGRATION_TEST_DB_RESET + ASPNETCORE_ENVIRONMENT=Testing wired
    for AZ-493 reset gate.
  - SatelliteProvider.TestSupport is IsPackable=false — never ships
    in a production container image.
  - New operational gate added to deploy runbook: grep for DEV-ONLY-
    in the rendered deploy environment must return zero hits.

Phase 5 (Security Report):
  - Verdict: PASS_WITH_WARNINGS (cycle 3 does not escalate).
  - 0 Critical, 0 High, 0 new Medium.
  - Cycle-2 F-AUTH-2 (Medium) RESOLVED; cycle-1 D1 + cycle-2 D3
    RESOLVED.

Autodev state advanced to Step 14 completed. Next: Step 15
(Performance Test, optional gate).

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Oleksandr Bezdieniezhnykh
2026-05-12 03:13:04 +03:00
parent e42bf62152
commit 314d1dec39
6 changed files with 248 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
_docs/05_security/security_report.md
+56
View File
@@ -161,3 +161,59 @@ AZ-487 introduced a JWT validation baseline (HS256, `JWT_SECRET` env var, `.Requ
- **Cycle-2 hardening backlog (Low priority)**:
- Pass `JsonDocumentOptions { MaxDepth = 8 }` and a max-claim-length check to `PermissionsAuthorizationHandler.TryReadJsonArray`.
- Document in `architecture.md` that reject-reason codes are NOT a security boundary.
---
## Cycle 3 Delta Summary (AZ-491 / AZ-492 / AZ-493 / AZ-494 / AZ-495 / AZ-496)
### What changed in cycle 3
Cycle 3 was test-infrastructure + dependency + iss/aud-validation hardening. The most security-relevant change is AZ-494, which flipped `iss` / `aud` validation from `false` (cycle-2 F-AUTH-2 finding) to `true`, sourcing both values from `JWT_ISSUER` / `JWT_AUDIENCE` env vars with the same fail-fast contract as `JWT_SECRET`. AZ-496 bumped the ASP.NET Core 8.0.21 family to 8.0.25 (closes D1 + D3). The other tasks (AZ-491 consolidate JWT test helpers, AZ-492 perf harness PT-07/PT-08, AZ-493 integration test DB reset hook, AZ-495 doc folder convention) added test-side surface but no new production attack surface.
### Findings table (cycle-3 delta)
| # | Severity | Category | Location | Title |
|------------|-----------------------|------------------------------------------|---------------------------------------------------------------------------|---------------------------------------------------------------------------------------------|
| D4 | Low | A03 — Supply Chain (test-only) | `SatelliteProvider.TestSupport.csproj` (`System.IdentityModel.Tokens.Jwt 7.0.3` + `Microsoft.IdentityModel.Tokens 7.0.3`) | CVE-2024-21319 (JWE DoS) in pinned 7.0.3 < 7.1.2 fix line; **test-only, never deployed**; bump to ≥ 7.1.2 in future PBI |
| F-AUTH-3 | Informational | A07 — AuthN observability (test-only) | `SatelliteProvider.IntegrationTests/Program.cs:67` | Test runner logs resolved `iss` / `aud` at startup — operator-visible only, no prod path leaks |
| F-AUTH-4 | Informational | A02 — Misconfiguration (by design) | `appsettings.Development.json` + `.env.example` | DEV-ONLY iss/aud placeholders deliberately committed (Option B forcing function for prod fail-fast) |
| F-DBR-1 | **False positive** | A05 — Injection (TRUNCATE interpolation) | `SatelliteProvider.IntegrationTests/IntegrationTestDatabaseReset.cs:32` | Hard-coded table list; no user input flows in; recorded so scanners don't re-flag |
| F-DBR-2 | Low | A08 — Data Integrity (test-only) | `SatelliteProvider.TestSupport/IntegrationTestResetGuard.cs:11-36` | Destructive TRUNCATE gated by two soft guards (env + Host allowlist); deliberate operator-bypass surface |
| F-PERF-1 | Low | A06 / A07 — Token handling (CLI-only) | `SatelliteProvider.IntegrationTests/PerfBootstrap.cs:21-48` | 4-hour `GPS`-permission token written to stdout for the perf harness; operator-trusted machine assumed |
### Verdict reconciliation
- No new Critical or High findings → cycle 3 does NOT escalate the verdict.
- One new Low finding in production-adjacent surfaces (D4) — **test-only, never deployed**; documented remediation path in dependency_scan.md.
- Two new Informational items (F-AUTH-3, F-AUTH-4) — both by-design or test-runner-only.
- One Low finding in test-side destructive op (F-DBR-2) — unit-tested guard, conservative-by-default.
- One Low finding on operator-controlled perf-CLI surface (F-PERF-1) — accepted operational trade-off.
- One false positive (F-DBR-1) — recorded for future scanner runs.
- **Cycle-2 carry-overs resolved**: F-AUTH-2 (Medium, A07) and D3 (Low, A03) both flipped to RESOLVED. Cycle-1 D1 also flipped to RESOLVED.
**Current verdict: PASS_WITH_WARNINGS** (cycle 3 satisfies the autodev Step-14 gate; proceed to Step 15).
### New / refreshed cycle-3 recommendations
- **Pre-deploy gate (operational, NOT code)** — same forcing function as cycle 2's `JWT_SECRET` gate, now extended:
- `deploy/SKILL.md` must verify `JWT_SECRET` is ≥ 32 bytes AND NOT equal to the DEV-ONLY placeholder.
- `deploy/SKILL.md` must verify `JWT_ISSUER` and `JWT_AUDIENCE` are set to admin-team-confirmed prod values, NOT the `DEV-ONLY-` placeholders. A grep for `DEV-ONLY-` in the rendered deploy environment must return zero hits.
- **TestSupport 7.0.3 bump** (D4) — future PBI: bump `Microsoft.IdentityModel.Tokens` + `System.IdentityModel.Tokens.Jwt` to ≥ 7.1.2 (or align to the 8.0.x family). Eliminates the `NU1902` warning noise on every restore. Test-only, low priority.
- **Cross-repo doc** (AZ-494 AC-7) — `suite/_docs/10_auth.md` write deferred. Outside this workspace's boundary; tracked in `deploy_cycle2.md` R3 follow-up.
- **Token revocation list** (A07 residual) — accepted as out-of-scope until requirement emerges. Re-evaluate if cycle N introduces user-revocable tokens or session management.
### Cycle-3 hardening backlog (Low priority, NOT cycle-blocking)
- Add a third guard to `IntegrationTestResetGuard` requiring explicit `INTEGRATION_TEST_DB_RESET_CONFIRM=I-UNDERSTAND-THIS-TRUNCATES` when the guard runs against a non-`postgres` host (i.e. operator's `localhost` outside Docker).
- Drop `iss` / `aud` from the integration-tests startup banner (F-AUTH-3) once the AZ-494 contract is well-understood by everyone on the team; the byte-count line is enough.
- Pipe `--mint-only` token through a process substitution / `xargs` so it never lands in shell history.
### Phase artifact status
| Artifact | Cycle 1 | Cycle 2 delta | Cycle 3 delta |
|----------|---------|---------------|---------------|
| `dependency_scan.md` | ✓ | ✓ | ✓ (D1 + D3 RESOLVED; D4 NEW) |
| `static_analysis.md` | ✓ | ✓ | ✓ (F-AUTH-3, F-AUTH-4, F-DBR-1, F-DBR-2, F-PERF-1) |
| `owasp_review.md` | ✓ | ✓ | ✓ (A03 + A07 status refreshed) |
| `infrastructure_review.md` | ✓ | ✓ | ✓ (compose env pass-through, AZ-493 guard plumbing, AZ-494 operational gates) |
| `security_report.md` | ✓ | ✓ | ✓ (this section) |