azaion/satellite-provider
1
0
Fork 0
mirror of https://github.com/azaion/satellite-provider.git synced 2026-06-26 08:21:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

[AZ-1074] [AZ-1075] Cycle 9 closeout: security, tests, metrics
ci/woodpecker/push/01-test Pipeline failed
Details
ci/woodpecker/push/02-build-push unknown status
Details

Browse Source 
Resolve F-AZ1074-1/2 (collection caps, generic gRPC internal errors).
Standalone integration compose stack, docs, security audit, perf and retro.

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Oleksandr Bezdieniezhnykh
2026-06-25 17:32:14 +03:00
parent 7633134a8a
commit 7ed780b063
22 changed files with 618 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files
_docs/05_security/security_report_cycle9.md
+60
View File
@@ -0,0 +1,60 @@
# Security Audit Report (Cycle 9)
**Date**: 2026-06-25
**Scope**: Cycle-9 delta — AZ-1074 (gRPC RouteTileDelivery service) + AZ-1075 (integration tests) + `SatelliteProvider.GrpcContracts`.
**Trigger**: `/autodev` Step 14 — user chose **A) Run security audit**.
**Verdict (cycle-9 delta, post-follow-up)**: **PASS** — 0 Medium open, 1 Low resolved in follow-up, 0 new Critical/High.
**Verdict (cumulative)**: **PASS_WITH_WARNINGS** — cycle-4/7/8 carry-overs unchanged (D2-cy4, D-AZ795-1, F-AZ795-1, F-AZ795-2, F-AZ810-1, F-AZ810-2).
## Summary
| Severity | Cycle 9 at audit | Post Step-14 follow-up | Cumulative open |
|----------|------------------|------------------------|-----------------|
| Critical | 0 | 0 | 0 |
| High | 0 | 0 | 0 |
| Medium | 1 (F-AZ1074-1) | **0 — RESOLVED** | 1 (D2-cy4 test-runtime) |
| Low | 1 (F-AZ1074-2) | **0 — RESOLVED** | 5+ (cycle 78 carry-overs) |
## OWASP Top 10:2021 (cycle-9 delta)
See `owasp_review_cycle9.md` — all categories PASS or N/A after follow-up.
## Findings
| # | Severity | Category | Location | Title | Status |
|---|----------|----------|----------|-------|--------|
| F-AZ1074-1 | Medium | Insecure Design (A04) | `RouteTileDeliveryOrchestrator.ValidateJob` | Unbounded gRPC waypoints/geofences/client_tiles | **RESOLVED** — caps 500/50/5000 |
| F-AZ1074-2 | Low | Information Disclosure (A09) | `RouteTileDeliveryGrpcService` catch-all | `ex.Message` in `DeliveryError` | **RESOLVED** — generic client message |
### F-AZ1074-1 detail (RESOLVED)
Aligned gRPC collection caps with REST: `waypoints ≤ 500`, `geofences ≤ 50`, `client_tiles ≤ 5000`. InvalidArgument via existing `ArgumentException``RpcException` mapping.
### F-AZ1074-2 detail (RESOLVED)
Internal errors now return `"An internal error occurred."` on the wire; `LogError` retains full exception.
## Carry-overs (unchanged)
- **F-AZ795-1, F-AZ795-2, F-AZ810-1, F-AZ810-2** — REST information-disclosure / time-handling (cycle 78)
- **D-AZ795-1** — FluentValidation 12.0.0 → 12.1.1
- **D2-cy4** — test SDK transitive (Medium, test-runtime only)
## Recommendations
### Immediate
- None blocking cycle 9 ship.
### Short-term (cycle 10+)
- Sanitise REST `GlobalExceptionHandler` + `UavUploadValidationFilter` (F-AZ795-1 / F-AZ810-1) in one ticket.
- Bump FluentValidation 12.0.0 → 12.1.1 (D-AZ795-1).
### Long-term
- Consider `region_size_meters` upper bound on gRPC path (REST uses 10_000 m cap) — advisory parity, not release-blocking.
## Artifacts
- `dependency_scan_cycle9.md`
- `static_analysis_cycle9.md`
- `owasp_review_cycle9.md`
- `infrastructure_review_cycle9.md`