azaion/satellite-provider
1
0
Fork 0
mirror of https://github.com/azaion/satellite-provider.git synced 2026-06-26 07:11:14 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
7ed780b0634eda3d8092f0c3e76cd865fde0fafb
satellite-provider/_docs/05_security/security_report_cycle9.md
T
Oleksandr Bezdieniezhnykh 7ed780b063
ci/woodpecker/push/01-test Pipeline failed
Details
ci/woodpecker/push/02-build-push unknown status
Details
[AZ-1074] [AZ-1075] Cycle 9 closeout: security, tests, metrics 
Resolve F-AZ1074-1/2 (collection caps, generic gRPC internal errors).
Standalone integration compose stack, docs, security audit, perf and retro.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-25 17:32:14 +03:00

2.6 KiB
Raw Blame History

Security Audit Report (Cycle 9)

Date: 2026-06-25 Scope: Cycle-9 delta — AZ-1074 (gRPC RouteTileDelivery service) + AZ-1075 (integration tests) + SatelliteProvider.GrpcContracts. Trigger: /autodev Step 14 — user chose A) Run security audit. Verdict (cycle-9 delta, post-follow-up): PASS — 0 Medium open, 1 Low resolved in follow-up, 0 new Critical/High. Verdict (cumulative): PASS_WITH_WARNINGS — cycle-4/7/8 carry-overs unchanged (D2-cy4, D-AZ795-1, F-AZ795-1, F-AZ795-2, F-AZ810-1, F-AZ810-2).

Summary

Severity Cycle 9 at audit Post Step-14 follow-up Cumulative open
Critical 0 0 0
High 0 0 0
Medium 1 (F-AZ1074-1) 0 — RESOLVED 1 (D2-cy4 test-runtime)
Low 1 (F-AZ1074-2) 0 — RESOLVED 5+ (cycle 78 carry-overs)

OWASP Top 10:2021 (cycle-9 delta)

See owasp_review_cycle9.md — all categories PASS or N/A after follow-up.

Findings

# Severity Category Location Title Status
F-AZ1074-1 Medium Insecure Design (A04) RouteTileDeliveryOrchestrator.ValidateJob Unbounded gRPC waypoints/geofences/client_tiles RESOLVED — caps 500/50/5000
F-AZ1074-2 Low Information Disclosure (A09) RouteTileDeliveryGrpcService catch-all ex.Message in DeliveryError RESOLVED — generic client message

F-AZ1074-1 detail (RESOLVED)

Aligned gRPC collection caps with REST: waypoints ≤ 500, geofences ≤ 50, client_tiles ≤ 5000. InvalidArgument via existing ArgumentExceptionRpcException mapping.

F-AZ1074-2 detail (RESOLVED)

Internal errors now return "An internal error occurred." on the wire; LogError retains full exception.

Carry-overs (unchanged)

  • F-AZ795-1, F-AZ795-2, F-AZ810-1, F-AZ810-2 — REST information-disclosure / time-handling (cycle 78)
  • D-AZ795-1 — FluentValidation 12.0.0 → 12.1.1
  • D2-cy4 — test SDK transitive (Medium, test-runtime only)

Recommendations

Immediate

  • None blocking cycle 9 ship.

Short-term (cycle 10+)

  • Sanitise REST GlobalExceptionHandler + UavUploadValidationFilter (F-AZ795-1 / F-AZ810-1) in one ticket.
  • Bump FluentValidation 12.0.0 → 12.1.1 (D-AZ795-1).

Long-term

  • Consider region_size_meters upper bound on gRPC path (REST uses 10_000 m cap) — advisory parity, not release-blocking.

Artifacts

  • dependency_scan_cycle9.md
  • static_analysis_cycle9.md
  • owasp_review_cycle9.md
  • infrastructure_review_cycle9.md
Reference in New Issue View Git Blame Copy Permalink