From beead1d6b04c3b0b0a15fbef45e0164d78eb90bf Mon Sep 17 00:00:00 2001 From: Cobb Hayes Date: Wed, 27 May 2026 09:22:12 -0700 Subject: [PATCH] audit follow-ups: deps floor, LICENSE, gate /debug/redis-keys - requirements.txt: bump floors past known CVEs (flask>=2.3.2 fixes CVE-2023-30861, requests>=2.32.0 fixes CVE-2023-32681 + CVE-2024-35195, redis>=5.0 fixes CVE-2023-28858/9). - LICENSE: add MIT text (README claimed MIT but the file was missing). - /api/1/debug/redis-keys: require auth. Was unauthenticated info-disclosure on the LAN/AP side. --- LICENSE | 21 +++++++++++++++++++++ adacam_api/app.py | 1 + requirements.txt | 6 +++--- 3 files changed, 25 insertions(+), 3 deletions(-) create mode 100644 LICENSE diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..77c4caf --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2026 Sulkta Coop + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/adacam_api/app.py b/adacam_api/app.py index 03f0afb..be0384b 100644 --- a/adacam_api/app.py +++ b/adacam_api/app.py @@ -112,6 +112,7 @@ def create_app(): # ── DEBUG ENDPOINTS ──────────────────────────────────────────────────── @app.route('/api/1/debug/redis-keys') + @require_auth def redis_keys(): """Debug endpoint — list Redis keys for GPS/IMU troubleshooting.""" try: diff --git a/requirements.txt b/requirements.txt index 6f89858..4ec13a8 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,3 @@ -flask>=2.0 -redis>=4.0 -requests>=2.25 +flask>=2.3.2 +redis>=5.0 +requests>=2.32.0