Harden result server ingest and security metadata#24

Merged

yoshifuminakamura merged 1 commit into

feature/result-server-security-hardening

May 19, 2026

Collaborator

yoshifuminakamura commented May 19, 2026

Summary

Validate ingest-supplied UUID and timestamp values before composing filenames.
Add basename-only defense for generated ingest filenames.
Add production preflight checks for weak or short Flask/API secrets.
Add SECURITY.md and publish security.txt / robots.txt metadata routes.
Document result portal key management and sync CI/test-count docs.

Security

Addresses the W1 slice of the CX audit follow-up:

CX-SEC-013: path traversal write hardening for ingest filenames
CX-SEC-007 / OSS-C follow-up: minimum secret length and known-default rejection
OSS-A / OSS-B: security policy and security.txt reporting metadata
CX-CQ-007 / CX-CQ-008: documentation consistency fixes

Validation

pytest result_server\tests -q
- 227 passed
bandit -r result_server -ll
- High/Medium: 0
git diff --check
- clean


          Harden result server ingest and security metadata

6f04ce8

Signed-off-by: Yoshifumi Nakamura <nakamura@riken.jp>

yoshifuminakamura merged commit 0a28cd5 into develop

4 checks passed

yoshifuminakamura deleted the feature/result-server-security-hardening branch

May 19, 2026 05:54

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet