azaion/satellite-provider
1
0
Fork 0
mirror of https://github.com/azaion/satellite-provider.git synced 2026-06-21 10:11:13 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
5214a4a6478deec82d0a59769a909552422f3444
satellite-provider/_docs/05_security
T
History
Oleksandr Bezdieniezhnykh 5214a4a647 [AZ-487] [AZ-488] security: cycle 2 delta audit (PASS_WITH_WARNINGS) 
Step 14 (Security Audit) for cycle 2 — delta scan against the cycle-1
baseline. Verdict remains PASS_WITH_WARNINGS; no Critical/High.

Scope: JWT auth boundary (AZ-487) and UAV multipart upload + ImageSharp
decode of attacker-controlled bytes (AZ-488). Both new packages
(JwtBearer 8.0.21, ImageSharp 3.1.11 in Services.TileDownloader)
checked.

Cycle-2 delta:
* 0 Critical / 0 High
* 2 Medium: F-AUTH-2 (iss/aud not validated — by design until admin
  team publishes values, AZ-487 § Constraints), F-UAV-1 (ImageSharp
  decode now runs on attacker-controlled bytes — mitigations
  sufficient; pin to GHSA subscribe-and-bump policy).
* 4 Low: F-AUTH-1 (DEV-ONLY secret in appsettings.Development.json —
  accepted), F-AUTH-3 (rate-limit gap extends to 401 floods — folds
  into cycle-1 I3), F-UAV-2 (JsonDocument.Parse on signature-validated
  claims — bounded by Kestrel header cap), D3 (JwtBearer shares D1
  patch line).
* 1 Informational: F-UAV-3 (reject reasons disclose gate structure —
  accepted UX trade-off; documented in contract).

OWASP refresh: A01 / A07 move from N/A (with caveat) to
PASS_WITH_WARNINGS (per-tenant authz absent; iss/aud + revocation
gaps tracked).

Pre-deploy operational gate added: deploy pipeline must verify
JWT_SECRET != DEV-ONLY placeholder before promoting api.

Artifacts: dependency_scan.md, static_analysis.md, owasp_review.md,
infrastructure_review.md, security_report.md — all appended with a
"Cycle 2 Delta" section preserving cycle-1 finding IDs.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-12 00:13:58 +03:00
..
dependency_scan.md
[AZ-487] [AZ-488] security: cycle 2 delta audit (PASS_WITH_WARNINGS)
2026-05-12 00:13:58 +03:00
infrastructure_review.md
[AZ-487] [AZ-488] security: cycle 2 delta audit (PASS_WITH_WARNINGS)
2026-05-12 00:13:58 +03:00
owasp_review.md
[AZ-487] [AZ-488] security: cycle 2 delta audit (PASS_WITH_WARNINGS)
2026-05-12 00:13:58 +03:00
security_report.md
[AZ-487] [AZ-488] security: cycle 2 delta audit (PASS_WITH_WARNINGS)
2026-05-12 00:13:58 +03:00
static_analysis.md
[AZ-487] [AZ-488] security: cycle 2 delta audit (PASS_WITH_WARNINGS)
2026-05-12 00:13:58 +03:00