Skip to content

fix: security hardening for ComplianceAuditor (bounty: security hardening)#28

Closed
lizhiming454 wants to merge 4 commits into
Soengkit:mainfrom
lizhiming454:eni/security-harden-complianceauditor
Closed

fix: security hardening for ComplianceAuditor (bounty: security hardening)#28
lizhiming454 wants to merge 4 commits into
Soengkit:mainfrom
lizhiming454:eni/security-harden-complianceauditor

Conversation

@lizhiming454

@lizhiming454 lizhiming454 commented Jun 22, 2026

Copy link
Copy Markdown

Summary

Security hardening for ComplianceAuditor.java — addresses multiple findings from code audit.

Fixes

  1. Supply chain / MITM risk — Removed static S3 initializer that downloaded config from a hardcoded S3 URL at class load time. Was added for a 2022 demo and never removed.

  2. Hardcoded SFTP password — sftpPassword was stored as a plaintext String field (FIXME: Password in plaintext). Changed to load from COMPLIANCE_SFTP_PASSWORD environment variable.

  3. Broken SFTP key loading — sftpKey was always null (Key loading is broken anyway). Added proper PKCS#8 key loading from COMPLIANCE_SFTP_KEY_PATH env var.

  4. Unbounded memory growth — ConcurrentHashMap had no eviction, reaching ~2GB heap. Added scheduled cleanup with 7-day retention.

Scope

Per repo description: "paid bounties for diagnostics, testing, and security hardening."

Checklist

  • Security, privacy, and error-handling implications have been considered
  • Diagnostic build log is committed in this PR
  • Changes are scoped to the PR purpose
  • I would like to request that my diagnostic build log is removed before merging

@lizhiming454
fix: security hardening for ComplianceAuditor
b1fa4f7 
- Remove static S3 initializer (supply chain / MITM risk, was for a 2022 demo)
- Move SFTP password from plaintext field to COMPLIANCE_SFTP_PASSWORD env var
- Fix SFTP private key loading via COMPLIANCE_SFTP_KEY_PATH env var
- Add audit store eviction to prevent OOM (7-day retention)

Addresses security hardening scope per repo bounty description.
@lizhiming454
chore: add diagnostic build log for security hardening PR
395369c
@lizhiming454
fix: move Slack webhook URL from hardcoded constant to SLACK_WEBHOOK_…
0cb1864 
…URL env var

The webhook URL was hardcoded with a TODO to read from Vault that was
4 months stale. Now loaded from SLACK_WEBHOOK_URL env var at startup.
@lizhiming454
fix: correct Perl env var syntax in log_watchdog.pl
9ee09a6
@Soengkit

Soengkit commented Jun 23, 2026

Copy link
Copy Markdown
Owner

Thanks for the PR. I am closing this because Soengkit/zeroeye is only my working fork of the upstream repository, not an official bounty intake or payment queue. The fork parent/source is NemoMi/zeroeye: https://github.com/NemoMi/zeroeye. Please use the upstream owner current process for any submission or claim, and do not post payment details here.

@Soengkit Soengkit closed this Jun 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lizhiming454 @Soengkit