Skip to content

feat(security): API security middleware, pipeline guard, and OWASP scanner#34

Merged
Goldokpa merged 3 commits into
developfrom
feat/security-api-middleware-and-pipeline-guard
May 5, 2026
Merged

feat(security): API security middleware, pipeline guard, and OWASP scanner#34
Goldokpa merged 3 commits into
developfrom
feat/security-api-middleware-and-pipeline-guard

Conversation

@femi23
Copy link
Copy Markdown
Collaborator

@femi23 femi23 commented May 2, 2026

Summary

  • src/climatevision/security/api_security.py — OWASP-aligned FastAPI middleware:
    • Per-API-key sliding-window rate limiter
    • Payload size + Content-Length checks
    • bbox sanity validation (range, ordering, max area to block DoS-via-huge-GEE-queries)
    • File upload validation by magic bytes + extension whitelist
    • Input sanitisation against XSS, SQLi, template-injection patterns
    • Security response headers (X-Content-Type-Options, X-Frame-Options, X-XSS-Protection)
  • src/climatevision/security/pipeline_guard.pyInputAnomalyDetector + PipelineGuard:
    • Statistical input checks (out-of-range pixels, NaN/Inf, suspicious uniformity, gradient analysis)
    • Output validation (single-class dominance, low confidence, uniform probabilities)
    • Returns structured security metadata so the API can warn callers
  • tests/test_security.py — unit tests for the rate limiter, validators, sanitiser, and pipeline guard.
  • scripts/security_scan.py — external scanner that probes a running API for OWASP misconfigurations (missing headers, unauthenticated POSTs, oversized payloads, bbox over-area). Outputs a JSON report.

Why

Closes the auth-enforcement primitives in gap #4 and lays the foundation for gap #5 (alert delivery integrity) and gap #7 (test coverage on security-sensitive paths).

The pipeline guard is the second line of defence after schema validation — it catches adversarial tiles that pass the input contract but break model assumptions (NaN injection, gradient-spike attacks, uniform-region patches). The output checks flag single-class-dominant predictions that often indicate either an attack or a model failure, before the result reaches the dashboard.

The OWASP scanner is intended to run in CI against a staged deployment and gate releases.

Test plan

  • pytest tests/test_security.py -v passes
  • python scripts/security_scan.py --target http://localhost:8000 produces a JSON report
  • Send a 60 MB payload and confirm 413 response
  • Hit /api/predict 101 times in one minute from one API key and confirm 429 with Retry-After

Note

Defence-in-depth — this does not replace the per-endpoint X-API-Key enforcement work in api/auth.py (gap #4 proper, separate PR).

femi23 added 3 commits May 2, 2026 23:33
@femi23
feat(security): add API security middleware
59f4454 
OWASP-aligned controls layered onto FastAPI:
- Per-API-key rate limiter (sliding window, configurable)
- Payload size and Content-Length checks
- bbox sanity validation (range, ordering, max area to block DoS-via-huge-GEE-queries)
- File upload validation by magic bytes + extension whitelist
- String input sanitisation against XSS, SQLi, template injection patterns
- Security response headers (X-Content-Type-Options, X-Frame-Options, X-XSS-Protection)
@femi23
feat(security): add inference pipeline guard for adversarial inputs
2578e81 
InputAnomalyDetector flags suspicious tiles before model forward pass:
- Out-of-range pixel values, NaN/Inf, suspicious uniformity
- Gradient analysis to catch noise injection or constant-image attacks

PipelineGuard wraps inference with input + output checks:
- Rejects predictions where one class dominates >99% (model failure or attack)
- Flags low mean confidence and uniform probability distributions
- Returns structured security metadata alongside predictions so the API
  can surface warnings to the caller.
@femi23
test(security): add security suite and OWASP scanner script
69cf9c5 
- tests/test_security.py: unit tests for the rate limiter, payload/bbox/file
  validators, sanitiser, pipeline guard input/output checks, and adversarial
  detection helpers.
- scripts/security_scan.py: external scanner that hits a running API and
  probes for OWASP-style misconfigurations (missing headers, unauthenticated
  POSTs, bbox over-area, oversized payloads). Outputs a JSON report.
obielin
obielin approved these changes May 5, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@obielin obielin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Heavier overlap with my security/ territory than I'd like, but the implementation is solid — the OWASP scanner script is genuinely useful and the api_security middleware covers the input-sanitisation gap I had on my sprint backlog. I'm happy to inherit ownership going forward and layer my pipeline_guard adversarial-detection work on top in a follow-up.

Approving — let's merge and split future security work explicitly: input/middleware stays in your lane, ML-adversarial / model governance stays in mine.

@Goldokpa Goldokpa marked this pull request as ready for review May 5, 2026 22:47
@Goldokpa Goldokpa self-requested a review as a code owner May 5, 2026 22:47
@Goldokpa Goldokpa merged commit eb640e2 into develop May 5, 2026
@femi23 femi23 mentioned this pull request May 17, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@obielin obielin obielin approved these changes

@Goldokpa Goldokpa Awaiting requested review from Goldokpa

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@femi23 @obielin @Goldokpa