mirror of
https://github.com/azaion/satellite-provider.git
synced 2026-06-21 08:31:14 +00:00
Oleksandr Bezdieniezhnykh
51b572108a
Captures the post-implementation autodev gates for AZ-484 multi-source tile storage: - Step 12 (Test-Spec Sync): added 7 AC rows (AZ-484 AC-1..AC-7) and a PT-07 NFR row to traceability-matrix.md; added PT-07 scenario to performance-tests.md. - Step 13 (Update Docs): refreshed data_model.md (tiles columns + indexes + selection rule + UPSERT contract + migrations 012/013), module-layout.md (Common/Enums section with L-001 guidance, DataAccess imports-from now lists 6 sites), 6 module / component docs to reflect the new repo signatures, source/captured_at fields, and Dapper enum bypass workaround. ripple_log_cycle1.md records zero out-of-scope ripple. - Step 14 (Security Audit): PASS_WITH_WARNINGS - 0 Critical, 0 High, 5 Medium, 5 Low. AZ-484 itself added zero new findings. Hardening items (Postgres default creds, .env in build context, GMaps key rotation, ASP.NET Core 8.0.21 -> 8.0.25, rate limiter) recorded for separate tickets. - Step 15 (Performance Test): all PT-01..PT-07 scenarios Unverified (non-blocking); PT-07 baseline-comparison harness deferred to a leftover for next cycle. - Step 16 (Deploy): cycle deploy report covering migration safety, rollback path, post-deploy verification, security caveats. Co-authored-by: Cursor <cursoragent@cursor.com>
5.3 KiB
5.3 KiB
Phase 3 — OWASP Top 10:2025 Review
Date: 2026-05-11
OWASP version: OWASP Top 10:2025 (verified at audit start)
Project context: Self-hosted .NET 8 backend service. Documented as an "internal/trusted network service — no auth layer" (_docs/02_document/architecture.md §7). Deployed via Docker behind another network boundary (per _docs/02_document/deployment/). The audit is scoped to the codebase as it stands; categories whose findings depend on a missing trust-boundary control are flagged accordingly.
| # | Category | Status | Findings | Notes |
|---|---|---|---|---|
| A01 | Broken Access Control | N/A (with caveat) | — | The service intentionally exposes ALL endpoints without authentication or authorization — documented design (architecture.md §7). No IDOR analysis applies because there is no user concept. Caveat: this is only safe if the deployment puts the API behind a network-level gatekeeper (VPN, mTLS, internal-only LB). If the deploy ever moves to a public network, this category becomes the #1 risk and EVERY endpoint becomes an unauthenticated execution surface. |
| A02 | Security Misconfiguration | FAIL | S1, S2, I1, I2 | Default Postgres credentials in both appsettings.json and docker-compose.yml; Postgres port bound to 0.0.0.0; container runs as root; no security headers middleware. |
| A03 | Software Supply Chain Failures | PASS_WITH_WARNINGS | D1, D2 | Two known transitive CVEs (D1 — ASP.NET Core 8.0.21 SignalR DoS, not exploitable here; D2 — Microsoft.NET.Test.Sdk 17.8.0 → NuGet.Frameworks info disclosure, test-only). No use of unsigned NuGet packages; no auto-update of dependencies in production. |
| A04 | Cryptographic Failures | N/A | — | No password storage (no users), no encryption at rest, no in-app crypto. The Google Maps integration uses HTTPS (default Npgsql/HttpClient stacks). At-rest tile storage is plain JPEG by design — these are public satellite images, not confidential data. |
| A05 | Injection | PASS | — | All Dapper queries use parameter objects (new { Id = id } etc.); no string-built or interpolated user input flows into SQL. No Process.Start, no shell exec, no eval. JSON deserialization uses System.Text.Json defaults (no type-name handling). XSS / template injection N/A — JSON-only API. |
| A06 | Insecure Design | FAIL | S3, I3 | No rate limiting on any endpoint despite the existence of an outbound rate-limited dependency (Google Maps). Latitude / longitude inputs are not range-validated at the API boundary (S3). No quota / throttling on region-request creation, which can multiply outbound calls and disk writes. |
| A07 | Authentication Failures | N/A (with caveat) | — | Same caveat as A01 — there is no authentication system to fail. |
| A08 | Software or Data Integrity Failures | PASS | — | DbUp migrations are idempotent and tracked in schemaversions; rollback is forward-only by design. No auto-update path. CI artifacts go through .woodpecker/02-build-push.yml with from_secret: registry_token (not in plaintext). No unsigned external scripts executed at build/deploy. |
| A09 | Security Logging and Alerting Failures | PASS_WITH_WARNINGS | I4 | Serilog writes structured logs with file rotation; GlobalExceptionHandler correlates server logs to client responses via correlationId (good). However: no security-event logging (e.g., bad-input bursts, repeated 4xx from same source) and no alerting on log patterns. Acceptable for an internal service; would need attention if exposed publicly. |
| A10 | Mishandling of Exceptional Conditions | PASS | — | GlobalExceptionHandler returns RFC 7807 ProblemDetails with a generic body and a correlationId — no exception text leaks to clients. GlobalExceptionHandlerTests.cs includes a positive control that confirms a "leakySecret"-shaped exception message is NOT echoed. |
Cross-reference to Phase 1 / Phase 2 findings
| OWASP Cat | Tied finding | Severity | Source phase |
|---|---|---|---|
| A02 | S1 — default password in appsettings.json | Medium | Phase 2 |
| A02 | S2 — weak Postgres creds + 0.0.0.0 binding in compose | Medium | Phase 2 |
| A02 | I1 — Dockerfile runs as root | Low | Phase 4 (next) |
| A02 | I2 — no security headers middleware | Low | Phase 4 (next) |
| A03 | D1 — CVE-2026-26130 in ASP.NET Core 8.0.21 (SignalR; not reachable) | Medium (paper) / Low (real) | Phase 1 |
| A03 | D2 — CVE-2022-30184 transitive via test SDK | Low (test-only) | Phase 1 |
| A06 | S3 — lat/lon not range-validated at API boundary | Low | Phase 2 |
| A06 | I3 — no rate limiting on any endpoint | Medium | Phase 4 (next) |
| A06 | S4 — Google Maps API key handling (no .env.example, no rotation hygiene) | Medium | Phase 2 |
| A09 | I4 — no security-event logs, no alerting | Low | Phase 4 (next) |
Self-verification
- All current OWASP Top 10:2025 categories assessed
- Each FAIL has at least one specific finding with evidence
- N/A categories have justification + caveat
- No
security_approach.mdexists in_docs/00_problem/to cross-reference (project has not declared explicit security requirements; this audit treats the architecture-vision statement "internal/trusted network service" as the de-facto requirement)