azaion/satellite-provider
1
0
Fork 0
mirror of https://github.com/azaion/satellite-provider.git synced 2026-06-22 11:01:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

[AZ-808] [AZ-809] [AZ-810] [AZ-811] [AZ-812] Cycle 8 security audit

Browse Source 
PASS_WITH_WARNINGS. Zero Critical / High.

New cycle-8 findings:
- F-AZ809-1 (Medium / A04 Insecure Design): unbounded
  geofences.polygons enables an authenticated DoS on
  POST /api/satellite/route. Cap candidate: 50 or 500.
- F-AZ810-1 (Low / A09): JsonException.Message echoed in
  UavUploadValidationFilter (new instance of cycle-7 F-AZ795-1
  pattern in a second code path).
- F-AZ810-2 (Low / Informational): UavTileMetadata.CapturedAt
  typed DateTime not DateTimeOffset; freshness window drifts in
  non-UTC dev environments. Zero impact in UTC-deployed prod.

Carry-overs (cycle 7): F-AZ795-1, F-AZ795-2, D-AZ795-1 still
open. Cycle 4 D2-cy4 still open (test-runtime Medium).

Cycle-8 architectural wins recorded: per-endpoint validation
reached 100% coverage; three approved validation paths
formalised; OSM wire-format normalisation under strict mode
(AZ-812); UAV-handler defence-in-depth retained.

Highest-priority cycle-9 follow-up: F-AZ809-1 polygon cap.

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Oleksandr Bezdieniezhnykh
2026-05-23 15:17:31 +03:00
parent 6207ab7c27
commit ac40a8b352
6 changed files with 613 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
_docs/_autodev_state.md
+4 -4
View File
@@ -4,11 +4,11 @@
flow: existing-code
step: 14
name: Security Audit
status: not_started
status: completed
sub_step:
phase: 0
name: awaiting-choice
detail: ""
phase: 5
name: report-rendered
detail: "verdict: PASS_WITH_WARNINGS (1 Medium F-AZ809-1 + 2 new Lows + 3 carry-over Lows + 1 carry-over Medium D2-cy4 test-runtime only)"
retry_count: 0
cycle: 8
tracker: jira