CRITICAL:
- A-001: SQL injection in snapshot — escape single quotes in backup path
- A-002: Timing attack — always verify against dummy hash when user not
found, preventing username enumeration
- A-003: Notebook ownership — all authenticated endpoints now verify
user_id before loading notebook data
- A-004: Point data bounds — decodePoints returns error on misaligned
data, >4MB payloads, and NaN/Inf values
HIGH:
- A-005: Error messages — generic errors in HTTP responses, no err.Error()
- A-006: Share link authz — RevokeShareLink verifies notebook ownership
- A-007: Scan errors — return 500 instead of silently continuing
MEDIUM:
- A-008: Web server TLS — optional TLS support (HTTPS when configured)
- A-009: Input validation — page_size, stroke count, point_data alignment
checked in SyncNotebook RPC
- A-010: Graceful shutdown — 30s drain on SIGINT/SIGTERM, all servers
shut down properly
Added AUDIT.md with all 17 findings, status, and rationale for
accepted risks.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Kyle Isom
ea9375b6ae