senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
veza/veza-stream-server
History
senke 249fd99730 fix(v0.12.6): apply all pentest remediations — 36 findings across 36 files 
CRITICAL fixes:
- Race condition (TOCTOU) in payout/refund with SELECT FOR UPDATE (CRITICAL-001/002)
- IDOR on analytics endpoint — ownership check enforced (CRITICAL-003)
- CSWSH on all WebSocket endpoints — origin whitelist (CRITICAL-004)
- Mass assignment on user self-update — strip privileged fields (CRITICAL-005)

HIGH fixes:
- Path traversal in marketplace upload — UUID filenames (HIGH-001)
- IP spoofing — use Gin trusted proxy c.ClientIP() (HIGH-002)
- Popularity metrics (followers, likes) set to json:"-" (HIGH-003)
- bcrypt cost hardened to 12 everywhere (HIGH-004)
- Refresh token lock made mandatory (HIGH-005)
- Stream token replay prevention with access_count (HIGH-006)
- Subscription trial race condition fixed (HIGH-007)
- License download expiration check (HIGH-008)
- Webhook amount validation (HIGH-009)
- pprof endpoint removed from production (HIGH-010)

MEDIUM fixes:
- WebSocket message size limit 64KB (MEDIUM-010)
- HSTS header in nginx production (MEDIUM-001)
- CORS origin restricted in nginx-rtmp (MEDIUM-002)
- Docker alpine pinned to 3.21 (MEDIUM-003/004)
- Redis authentication enforced (MEDIUM-005)
- GDPR account deletion expanded (MEDIUM-006)
- .gitignore hardened (MEDIUM-007)

LOW/INFO fixes:
- GitHub Actions SHA pinning on all workflows (LOW-001)
- .env.example security documentation (INFO-001)
- Production CORS set to HTTPS (LOW-002)

All tests pass. Go and Rust compile clean.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-14 00:44:46 +01:00
..
.cargo fix(release): v1.0.1 — Conformité complète ROADMAP checklist 2026-03-03 20:17:54 +01:00
.github/workflows fix(ci): upgrade deprecated actions, fix Go version 2026-02-11 23:14:50 +01:00
audio adding initial stream server (Rust) 2025-12-03 20:36:56 +01:00
benches adding initial stream server (Rust) 2025-12-03 20:36:56 +01:00
dashboards adding initial stream server (Rust) 2025-12-03 20:36:56 +01:00
docs P0: stabilisation backend/chat/stream + nouvelle base migrations v1 2025-12-06 11:14:38 +01:00
k8s/production adding initial stream server (Rust) 2025-12-03 20:36:56 +01:00
migrations report generation and future tasks selection 2025-12-08 19:57:54 +01:00
proto adding initial stream server (Rust) 2025-12-03 20:36:56 +01:00
scripts release(v0.903): Vault - ORDER BY whitelist, rate limiter, VERSION sync, chat-server cleanup, Go 1.24 2026-02-27 09:43:25 +01:00
src fix(v0.12.6): apply all pentest remediations — 36 findings across 36 files 2026-03-14 00:44:46 +01:00
tools chore: audit 2.8 et 2.9 — gitignore et Tokio 2026-02-15 14:47:31 +01:00
.clippy.toml adding initial stream server (Rust) 2025-12-03 20:36:56 +01:00
.env.example v0.9.1 2026-03-05 19:22:31 +01:00
.gitignore report generation and future tasks selection 2025-12-08 19:57:54 +01:00
AUDIT_EXHAUSTIF_STREAM_SERVER.md refonte: backend-api go first; phase 1 2025-12-12 21:34:34 -05:00
AUDIT_STREAM_SERVER_RUST.md adding initial stream server (Rust) 2025-12-03 20:36:56 +01:00
build.rs [T0-002] fix(rust): Corriger erreurs compilation Rust 2026-01-04 01:44:20 +01:00
Cargo.toml fix(v0.12.6.1): remediate remaining 15 MEDIUM + LOW pentest findings 2026-03-12 06:13:38 +01:00
check_errors.txt report generation and future tasks selection 2025-12-08 19:57:54 +01:00
docker-compose.yml fix(security): restrict CORS origins in stream-server 2026-02-11 22:42:04 +01:00
Dockerfile fix(v0.12.6): apply all pentest remediations — 36 findings across 36 files 2026-03-14 00:44:46 +01:00
Dockerfile.production chore(release): v0.981 — Beta (staging deploy, bug bash, smoke test) 2026-03-02 19:33:42 +01:00
env.example adding initial stream server (Rust) 2025-12-03 20:36:56 +01:00
install.sh adding initial stream server (Rust) 2025-12-03 20:36:56 +01:00
Makefile v0.9.5 2026-03-06 10:02:53 +01:00
package.json v0.9.4 2026-03-05 23:03:43 +01:00
RAPPORT_LAB.md report generation and future tasks selection 2025-12-08 19:57:54 +01:00
sync_errors.txt report generation and future tasks selection 2025-12-08 19:57:54 +01:00
sync_test_error.txt report generation and future tasks selection 2025-12-08 19:57:54 +01:00
test_output.txt report generation and future tasks selection 2025-12-08 19:57:54 +01:00