Skip to content

v0.1.6

Choose a tag to compare

View all tags
@ashimov ashimov released this 16 May 06:31
· 13 commits to main since this release
v0.1.6
2131008

Security audit release

Full security audit (Bandit + Semgrep + pip-audit + Gitleaks + CodeQL), STRIDE threat-model per subsystem, OWASP API Top 10 compliance map, and fixes for 3 HIGH and 2 MEDIUM findings.

Security

  • [HIGH · CWE-290] flags identity headers no longer trusted. get_flags previously lifted X-User-Id / X-Tenant-Id straight into the targeting context — any attacker could claim any user/tenant. Both fields are now always None on the default context.
  • [HIGH · CWE-352] GraphQL mutations no longer sneak through GET. Multi-operation documents with ?operationName=B could bypass the first-token check. The handler now parses every operation and rejects GET for any non-query.
  • [HIGH · CWE-770] GraphQL depth + timeout limits. make_graphql_handler accepts max_depth=15 and timeout_s=30.0 by default. Wraps executor in asyncio.wait_for.
  • [MEDIUM · CWE-200] GraphiQL UI now opt-in (graphiql=False default).
  • [MEDIUM] gRPC default concurrent-RPC cap of 1000 via new maximum_concurrent_rpcs kwarg.

Added

  • SECURITY.md (responsible disclosure)
  • docs/security/threat-model.md (STRIDE per subsystem)
  • docs/security/code-review-2026-05-16.md (focused review)
  • docs/security/owasp-api-top10-2023.md (compliance map)
  • .github/workflows/security.yml (5 scanners on every push/PR + weekly)
  • .github/dependabot.yml (weekly pip + actions updates)

Full changelog: https://github.com/ashimov/HawkAPI/blob/v0.1.6/CHANGELOG.md

Assets 3
Loading